Skip to content

vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api #16

New issue
New issue
Open
Open
vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api#16
@noahehall

Description

@noahehall
noahehall
opened on Dec 24, 2022

C

  • we need the ability to write policies in HCL, with any level of complexity, and post those HCL policies to a vault server

T

  • dude you just need to convert the policy to a string with quotes escaped, see below

A

creating policy policy_admin_vault:
path "secret/*" { # kv-v2
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}

path "env/*" { # kv-v1
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}

path "sys/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "auth/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "database/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "pki*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}


[DEBUG] SCRIPT.VAULT.SH
------------
[url]: https://dev.nirv.ai:8300/v1/sys/policies/acl/policy_admin_vault
[args]: -H X-Vault-Token: hvs.EqX-Bzh2cy5yb1lkcXlraHhYWmlLY1R5U2FxcTdoTWo --data {
    "policy": 
        "

                path \"secret/*\" {   
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
                }
                path \"env/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
                }
                path \"sys/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"auth/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"database/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"pki*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
        "
    }
------------

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    nirvai

    Status

    THE PITS

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions