required policy ?

Question

required policy ?

rockandska opened this issue 2 years ago · comments

Hi,

I create a policy dedicated for my needs with :

path "secret/*" {  capabilities = ["read","list"] }

and works as expected with CLI

But when using a token bind to this policy I hit the error bellow

$ ./medusa export secret -m kv1 -a https://127.0.0.1:8200 -k -t xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Error making API request.

URL: GET https://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret
Code: 403. Errors:

* permission denied

I don't get why medusa needs to access v1/sys/internal/ui/mounts/secret for looping over what is in secret.

Regards,

Jonas Vinther · Answer 1 · Thu Jan 19 2023 04:31:05 GMT+0800 (China Standard Time)

Hi @rockandska
What version of Vault are you using?

Jonas Vinther · Answer 2 · Thu Jan 19 2023 04:40:31 GMT+0800 (China Standard Time)

There is actually a good reason for this. Please have a look at #70 to read the explanation for this need.

rockandska · Answer 3 · Mon Jan 23 2023 17:20:59 GMT+0800 (China Standard Time)

An old one @jonasvinther : 0.9.5

Not sure I get all the reason in #70 but my token works in CLI with the policy shown above.

Adding a minimal policy example in the README for a readonly user would be nice

Thanks