Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api #16

Open
1 task
noahehall opened this issue Dec 24, 2022 · 1 comment
Open
1 task

vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api #16

noahehall opened this issue Dec 24, 2022 · 1 comment

Comments

@noahehall
Copy link
Contributor

noahehall commented Dec 24, 2022
edited
Loading

C

  • we need the ability to write policies in HCL, with any level of complexity, and post those HCL policies to a vault server

T

  • dude you just need to convert the policy to a string with quotes escaped, see below

A

creating policy policy_admin_vault:
path "secret/*" { # kv-v2
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}

path "env/*" { # kv-v1
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}

path "sys/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "auth/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "database/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "pki*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}


[DEBUG] SCRIPT.VAULT.SH
------------
[url]: https://dev.nirv.ai:8300/v1/sys/policies/acl/policy_admin_vault
[args]: -H X-Vault-Token: hvs.EqX-Bzh2cy5yb1lkcXlraHhYWmlLY1R5U2FxcTdoTWo --data {
    "policy": 
        "

                path \"secret/*\" {   
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
                }
                path \"env/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
                }
                path \"sys/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"auth/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"database/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"pki*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
        "
    }
------------
@noahehall
Copy link
Contributor Author

noahehall commented Dec 26, 2022
edited
Loading

resolution

  • your gonna have to write an hcl parser that escapes the double quotes everywhere, in order to send a string that parses back into valid hcl
    • vault wont accept the payload if you simplify convert the hcl to json

@noahehall noahehall changed the title vault: find a more ergonomical approach for creating policies via the http api vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api Dec 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
nirvai
Status: THE PITS
Milestone
No milestone
Development

No branches or pull requests
1 participant
@noahehall