Hashicorp Vault — Create Auth Tokens Only, Don't read secrets
Question
I'm using Hashicorp Vault:
I want a user that can create new users, but can't read their secrets.
Would I just create a policy like:
path "sys/auth/token/*" {
policy = "write"
}
since all policies are set to deny?
1 answers
solution1
2 ACCPTED 2016-09-02 12:40:21
This was the incorrect way to use Vault. These were my errors:
- Trying to store user passwords. For me, it looks better to handle platform passwords, like the integrated temporary postgre credentials.
- Trying to remove any trace of authentication keys on the server. If Vault users were going to be created automatically, Vault credentials will need to exist somewhere, either in a script or file with proper permissions.
- Trying to mitigate a rooted server. If someone has root access, there are larger problems than that. Encryption can mitigate data leaks, like a database dump. Data leaks if root access has been compromised in my case must be accepted. It's best to focus on not getting rooted.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Can I create a policy on Hashicorp Vault to allow token owners to only read their own secrets?
Why does Vault by HashiCorp require the ipc_lock capability to be enabled?
User folder accidently relocated, don't have permissions to move it back (Read only file system)
create threads but don't run it immediately in linux
linux bind don't create socket
Why can't I create read-only, shared mappings after setting F_SEAL_WRITE?
.NET 6 on Arch Linux: User Secrets not being read
Create a read-only file in yocto
Create read only folder in C language
cp command don't create directory in a sh\bash script, why?
Related Tags