fabio
fabio copied to clipboard
Documented preflight policy path
Added section describing that newer versions of vault need the preflight check path to be readable. (fixes #876)
Added documentation for token renewal, which was also missing.
I set up a local vault instance running in dev mode, point my fabio instance to it and I was able to create the following minimal policy to support v2 kv store, with the preflight check. It appears that it is unnecessary to use the full ui mount path in the policy:
path "secret/data/fabio/certs/*" {
capabilities = ["read"]
}
path "secret/metadata/fabio/certs" {
capabilities = ["list"]
}
The ability to self- renew is enabled in the default policies, though I do agree it would be useful to call it out in case some operator has removed this from the default policy. This is the default policy on my local dev instance, which was just created:
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}
If you could validate my findings, and update your documentation PR to include this, I'd like you to get credit for finding this. Another tidbit, it's important to create the token as an orphan and with an explicit period, so that this will keep the token from bumping into the implicit max ttl which prevents the token from renewing after a time.