Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documented preflight policy path #877

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Documented preflight policy path #877

wants to merge 3 commits into from

Conversation

knorx
Copy link

@knorx knorx commented Jun 23, 2022
edited

Added section describing that newer versions of vault need the preflight check path to be readable. (fixes #876)

@knorx
documented preflight policy path
da5a43c 
Added section describing that newer versions of vault need the preflight check path to be readable.
@CLAassistant
Copy link

CLAassistant commented Jun 23, 2022
edited

CLA assistant check
All committers have signed the CLA.

@knorx knorx changed the title Documented preflight policy path (fixes #876) Documented preflight policy path Jun 23, 2022
@knorx
Document policy for token renewal
1dc9df9 
To renew the token, we need yet another policy, this was also missing.
@knorx
Copy link
Author

knorx commented Jun 23, 2022

Added documentation for token renewal, which was also missing.

@nathanejohnson
Copy link
Member

nathanejohnson commented Jul 8, 2022
edited

I set up a local vault instance running in dev mode, point my fabio instance to it and I was able to create the following minimal policy to support v2 kv store, with the preflight check. It appears that it is unnecessary to use the full ui mount path in the policy:

path "secret/data/fabio/certs/*" {
  capabilities = ["read"]
}

path "secret/metadata/fabio/certs" {
  capabilities = ["list"]
}

The ability to self- renew is enabled in the default policies, though I do agree it would be useful to call it out in case some operator has removed this from the default policy. This is the default policy on my local dev instance, which was just created:


# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
    capabilities = ["read"]
}

# Allow tokens to renew themselves
path "auth/token/renew-self" {
    capabilities = ["update"]
}

# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
    capabilities = ["update"]
}

If you could validate my findings, and update your documentation PR to include this, I'd like you to get credit for finding this. Another tidbit, it's important to create the token as an orphan and with an explicit period, so that this will keep the token from bumping into the implicit max ttl which prevents the token from renewing after a time.

@nathanejohnson nathanejohnson self-requested a review July 8, 2022 22:20
nathanejohnson
nathanejohnson requested changes Jul 8, 2022
View reviewed changes
docs/content/feature/certificate-stores.md

# To check for kv version in newer vault instances
path "sys/internal/ui/mounts/secret/fabio/certs" {
capabilities = ["read"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the comments in the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanejohnson nathanejohnson nathanejohnson requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vault preflight check policy not documented
3 participants
@knorx @CLAassistant @nathanejohnson