fabio icon indicating copy to clipboard operation
fabio copied to clipboard

Published 20 hours ago verified publisher icon fabiolb

Documented preflight policy path

Open knorx opened this issue 2 years ago • 3 comments

Added section describing that newer versions of vault need the preflight check path to be readable. (fixes #876)

knorx avatar Jun 23 '22 08:06 knorx

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jun 23 '22 08:06 CLAassistant

Added documentation for token renewal, which was also missing.

knorx avatar Jun 23 '22 09:06 knorx

I set up a local vault instance running in dev mode, point my fabio instance to it and I was able to create the following minimal policy to support v2 kv store, with the preflight check. It appears that it is unnecessary to use the full ui mount path in the policy:

path "secret/data/fabio/certs/*" {
  capabilities = ["read"]
}

path "secret/metadata/fabio/certs" {
  capabilities = ["list"]
}

The ability to self- renew is enabled in the default policies, though I do agree it would be useful to call it out in case some operator has removed this from the default policy. This is the default policy on my local dev instance, which was just created:


# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
    capabilities = ["read"]
}

# Allow tokens to renew themselves
path "auth/token/renew-self" {
    capabilities = ["update"]
}

# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
    capabilities = ["update"]
}

If you could validate my findings, and update your documentation PR to include this, I'd like you to get credit for finding this. Another tidbit, it's important to create the token as an orphan and with an explicit period, so that this will keep the token from bumping into the implicit max ttl which prevents the token from renewing after a time.

nathanejohnson avatar Jul 08 '22 22:07 nathanejohnson