新令牌不允许访问策略

时间:2019-04-17 16:15:24

标签: hashicorp-vault

已经设置了Hashicorp Vault docker容器,但是在使用生成的令牌而不是根令牌时似乎无法获取数据库凭据。

error occurred: permission denied

重新创建步骤:

我创建了最新的容器,获取了根令牌并用它进行身份验证。

运行以下命令:

export VAULT_ADDR='http://127.0.0.1:8200'
vault secrets enable database
vault auth enable approle
vault write sys/policy/test policy='path "database/roles/" {capabilities = ["create", "read", "update", "delete", "list"]} path "auth/approle/login" { capabilities = [ "create", "read" ]} path "database/creds/" {capabilities = ["create", "read", "update", "delete", "list"]} path "secret/dbcreds" {capabilities = ["create", "update", "read"]} path "sys/mounts/" {capabilities = [ "create", "read", "update", "delete", "list" ]} path "database/" { capabilities = [ "create", "read", "update", "delete", "list" ]}'
vault write database/config/mssql plugin_name="mssql-database-plugin" root_rotation_statements="ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'" connection_url="sqlserver://{{username}}:{{password}}@sql:1433" allowed_roles="*,test" username="***MY_USER***" password="***MY_PASS***"
vault write database/roles/Tenant_1 db_name=mssql creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';USE [Tenant_1];CREATE USER [{{name}}] FOR LOGIN [{{name}}];ALTER ROLE [db_owner] ADD MEMBER [{{name}}];" default_ttl="1h" max_ttl="24h"
vault write auth/approle/role/test secret_id_ttl=0 token_num_uses=0 token_ttl=20m token_max_ttl=30m secret_id_num_uses=0 policies="default, test"
vault read auth/approle/role/test/role-id
vault write -f auth/approle/role/test/secret-id
vault write auth/approle/login role_id=***role_id*** secret_id=***secret_id***
vault secrets enable -version=2 kv  

我还尝试将'vault write'替换为'vault kv put',并获得了所有命令的成功。

所以我使用标头调用GET http://127.0.0.1:8200/v1/database/creds/Tenant_1

X-Vault-Token
**Root-Token**

有效。

如果我使用有效的角色/秘密ID调用POST http://127.0.0.1:8200/v1/auth/approle/login,我将成功获得令牌。但是,如果我尝试在GET调用中使用此令牌代替Root,则会拒绝授予权限。

在策略配置中,我觉得/ database / creds是策略的一部分。

如果我对生成的令牌进行令牌查找:

Key                 Value
---                 -----
accessor            PNe8WQiXnZvlFNEJekXO2es4
creation_time       1555517775
creation_ttl        20m
display_name        approle
entity_id           acc7558b-02b1-328d-4705-74f00ab9524b
expire_time         2019-04-17T16:36:15.6815637Z
explicit_max_ttl    0s
id                  s.iGkfsCUS6JX58SiDl8pfFN2K
issue_time          2019-04-17T16:16:15.6815627Z
meta                map[role_name:test]
num_uses            0
orphan              true
path                auth/approle/login
policies            [default test]
renewable           true
ttl                 16m35s
type                service

对我好!!

有什么想法吗?

1 个答案:

答案 0 :(得分:1)

好吧,这浪费了好几个小时,但是对于其他有类似问题的人都有解决方案。

我的策略从一开始就缺少/ *,因此即使令牌有效,也没有访问这些凭据的权限。