winter
Reputation: 2917
Unable to restrict Vault policy names in hcl template
I want to be able to create a policy that will allow to create kubernetes auth role and allow adding only a policy named kuberneted/default. I am using policy template as follows:
path "auth/kubernetes/role/{{identity.entity.aliases.auth_jwt_lll.metadata.project_id}}" {
capabilities = ["read","delete", "list", "patch", "update","create"]
allowed_parameters = {
policies = ["kubernetes/default"]
bound_service_account_names = []
bound_service_account_namespaces = []
ttl = []
}
}
This is saved, so I do not thing there is a syntax issue, and also, I found this is working when I remove "kubernetes/default".
Anywyas, I get the error:
File "/usr/local/lib/python3.11/site-packages/hvac/adapters.py", line 294, in _raise_for_error
utils.raise_for_error(
File "/usr/local/lib/python3.11/site-packages/hvac/utils.py", line 41, in raise_for_error
raise exceptions.VaultError.from_status(
hvac.exceptions.Forbidden: 1 error occurred:
* permission denied
, on post https://my.local:443/v1/auth/kubernetes/role/2751
The auth token who holds this policy authenticated using Gitlab-ci ID Token which was jwt generated by Gitlab and it is configured with OIDC/jwt integration in vault. Although i do not believe this is the issue.
Upvotes: 1
Views: 33
Answers (0)
Related Questions
- Hashicorp vault policy fail - what am I missing here?
- Root policy in hcl for hashicorp vault
- Vault sidecar injector permission denied only for vault enterprise
- Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error
- Hashicorp Vaultsharp permission denied error
- Hashicorp python client hvac issue:- "bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed'
- Vault approle auth forces default policy