What are Vault User Policies & how to create them? Hashicorp Vault

Hashicorp Vault

Hashicorp Vault is an opensource software from Hashicorp. Vault is used to manage secrets.

What is a secret?

Secrets can be considered as anything that one uses to authenticate, authorize themselves. Secrets are also pieces of information that are private to any user.

What are policies?

Policies help you create rules that define access to various secrets. We can create policies that allow certain level access like create access, update access, read access, delete access and so on. We then assign this policy to a particular authentication mechanism of a user. This user will have only those access mentioned in the policies attached to his credentials. This way, Vault makes sure that we provide minimal and only necessary access to Vault stakeholders.

# export variables that will be used by Vault when commands # are run in the current terminal sessionexport VAULT_ADDR='http://127.0.0.1:8200'export VAULT_TOKEN='s.hfAJfADfj...'# check Vault server statusvault status# login into Vaultvault login# view current logged in token informationvault token lookup# create policies and respective tokensvim secret-user-policy.hclpath "secret/data/*" {  capabilities = ["read"] }vim secret-admin-policy.hclpath "secret/data/*" {  capabilities = ["read", "create", "update"] }# command to write policyvault policy write secret-user-policy secret-user-policy.hclvault policy write secret-admin-policy secret-admin-policy.hcl# read policyvault read secret-user-policyvault read secret-admin-policy

The hcl file contains the path and capabilities mainly. The path is used to mention which capabilities the enclosed ones are applicable to. Paths allow us to use regular expressions in them to match various Vault paths. The capabilities include:

1. read: Similar to the GET HTTP method, allows reading the data at the given path.
2. create: Similar to the POST & PUT HTTP Method, allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.
3. update: Similar to the POST & PUT HTTP Method, allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.
4. delete: Similar to the DELETE HTTP Method, allows deleting the data at the given path.
5. list: Allows listing values at the given path.
6. sudo: Allows access to paths that are root-protected. Tokens are not permitted to interact with these paths unless they have the sudo capability
7. deny: Disallows access. This always takes precedence regardless of any other defined capabilities, including sudo.

Source

Testing the policies

Now testing the policies

# now open two tmux sessions for each type of user to test policiestmux new -s demo # and split screens for admin and user# at each of the tmux windowexport VAULT_ADDR='http://127.0.0.1:8200'export VAULT_TOKEN='s.hfAJfADfj...'vault login # enter repective tokensvault token lookup # to view current logged in token information# on admin window & notice versionsvault kv put secret/data/mysql username=root# add multiple keys in a single command vault kv put secret/data/mysql username=root password=root# prevent recording the value of the token in terminal historyvault kv put secret/data/googlecloud token=-# read from a json filevault kv put secret/data/googlecloud @apitoken.json# add multiple keys in a single command vault kv put secret/data/aerospike \     username=root \     password=root \     tlsname=securecert \     namespace=hashicorp# read secretvault kv get secret/data/mysql# ON USER WINDOWvault kv put secret/data/mysql username=root # Will not work since this user does not have privilegesvault kv get secret/data/mysql

Thus, we have seen what goes into creating a policy, how to create one, and have also tested the policies to see the difference between them.

More trending articles on Hashicorp Vault:

What is Vault? Why do we need it?

Hashicorp Vault | What & Why? | All you need to know about Vault | Secrets management for roadrunners

Tharun Shiv Jan 2 4 min read

#security #beginners #tutorial #devops

Set up a Vault Dev and Production server in 5 minutes:

Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup

Tharun Shiv Jan 2 5 min read

#security #database #beginners #devops

You can find more articles here: https://dev.to/developertharun

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you