尝试使用 GCP IAM 身份验证从 Vault 读取机密时出现 403 权限被拒绝
[英]403 Permission Denied when trying to read Secrets from Vault using GCP IAM auth
问题描述
I am using GCP IAM auth method to authenticate against vault.
我正在使用 GCP IAM 身份验证方法对保管库进行身份验证。 I followed the steps as suggested in vault gcp auth to authenticate using a Service Account我按照vault gcp auth 中建议的步骤使用服务帐户进行身份验证
I was able to successfully authenticate and login.我能够成功进行身份验证和登录。 But when I try to read the secrets from the specified path, it says permission denied.但是当我尝试从指定路径读取机密时,它说权限被拒绝。
$vi test-policy.hcl
path "secret/test/*" {
capabilities = ["read"]
}
I have the below roles assigned to my Service Account.我为我的服务帐户分配了以下角色。
- Service Account Admin服务帐户管理员
- Service Account Key Admin服务帐户密钥管理员
- Service Account Token Creator服务帐户令牌创建者
vault kv get secret/test/awskeys
Error reading secret/data/test/awskeys: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/test/awskeys
Code: 403. Errors:
* 1 error occurred:
* permission denied
I have the same issue using the spring-cloud-vault application as well.我在使用 spring-cloud-vault 应用程序时也遇到了同样的问题。 Is there any role that I missed to assign to this Service Account or am I setting the policy wrong?我是否错过了分配给此服务帐户的任何角色,或者我是否设置了错误的策略?
Note: Vault Server is setup on AWS.注意:Vault 服务器是在 AWS 上设置的。
1 个解决方案
解决方案1
2 已采纳 2020-01-28 10:45:19
It was the policy setting.这是政策设置。 I updated it to below and it worked!我将它更新到下面并且它起作用了! Specific path instead of *.特定路径而不是 *.
path "secret/data/test/awskeys" {
capabilities = ["read"]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.