我正在尝试执行一个简单的用例,以使用Vault v1.1.2创建用户并编写kv机密:
首先,在以生产模式启动服务器后,我进行了一些初始设置:
vault operator unseal <unseal key>
vault operator unseal <unseal key>
vault operator unseal <unseal key>
export VAULT_ROOT_TOKEN=<token>
接下来,我进行一些设置,包括创建策略:
vault -version
vault login $VAULT_ROOT_TOKEN
vault auth enable userpass
vault secrets enable -version=2 -path=secret kv
vault policy write my-policy -<<EOF
path "secret/*" {
capabilities = ["create", "update"]
}
path "secret/foo" {
capabilities = ["read"]
}
path "secret/data/*" {
capabilities = ["create", "update"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOF
vault token create -policy=my-policy
然后我创建一个用户:
vault write auth/userpass/users/chris \
password=password \
policies=my-policy,default
vault login -method=userpass username=chris password=password
哪个返回:
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token ...
token_accessor ...
token_duration 10h
token_renewable true
token_policies ["default" "my-policy"]
identity_policies []
policies ["default" "my-policy"]
token_meta_username chris
接下来,我尝试编写一个kv机密:
vault kv put secret/foo my-value=s3cr3t
但是,我得到的错误是:
Error writing data to secret/data/foo: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/data/foo
Code: 403. Errors:
* 1 error occurred:
* permission denied
我想念什么?
答案 0 :(得分:0)
好的,这是我的政策。我将path "secret/data/foo"更改为以下内容,并且工作正常。
path "secret/data/foo" {
capabilities = ["create", "read", "update", "delete"]
}