Difficulty: beginner
Estimated Time: 10 minutes

Logo

Prerequisites

Overview

Vault operates on a secure by default standard, and as such, an empty policy grants no permissions in the system. Therefore, policies must be created to govern the behavior of clients and instrument Role-Based Access Control (RBAC) by specifying access privileges (authorization).

Since everything in Vault is path based, policy authors must be aware of all existing paths as well as paths to be created.

You can specify non-static paths in ACL policies was to use globs (*) at the end of paths.

For example:

path "transit/keys/*" {
    capabilities = [ "read" ]
  }
  
  path "secret/webapp_*" {
    capabilities = [ "create", "read", "update", "delete", "list" ]
  }
  

However, this makes the management and delegation tasks challenging.

This guide highlights the use of templating to set non-static paths in the ACL policies. This feature was introduced in Vault 0.11.

This scenario highlights the use of ACL templating which was introduced in Vault 0.11.

Resources:


Vault ACL Policy Path Templating

Step 1 of 3

Create Policies

Write policies which fulfill the following policy requirements:

(1) Each user can perform all operations on their allocated key/value secret path (user-kv/data/<user_name>)

(2) The education group has a dedicated key/value secret store for each region where all operations can be performed by the group members (group-kv/data/education/<region>)

(3) The group members can update the group information such as metadata about the group (identity/group/id/<group_id>)

As of Vault 0.11, you can pass in a policy path containing double curly braces as templating delimiters: {{<parameter>}}.

Available Templating Parameters

Name Description
identity.entity.id The entity's ID
identity.entity.name The entity's name
identity.entity.metadata.<<metadata key>> Metadata associated with the entity for the given key
identity.entity.aliases.<<mount accessor>>.id Entity alias ID for the given mount
identity.entity.aliases.<<mount accessor>>.name Entity alias name for the given mount
identity.entity.aliases.<<mount accessor>>.metadata.<<metadata key>> Metadata associated with the alias for the given mount and metadata key
identity.groups.ids.<<group id>>.name The group name for the given group ID
identity.groups.names.<<group name>>.id The group ID for the given group name
identity.groups.names.<<group id>>.metadata.<<metadata key>> Metadata associated with the group for the given key
identity.groups.names.<<group name>>.metadata.<<metadata key>> Metadata associated with the group for the given key


Author ACL Policies

Open the user-tmpl.hcl file and enter the following policy rules in the editor (the following snippet can be copied into the editor):

# Grant permissions on user specific path
path "user-kv/data/{{identity.entity.name}}/*" {
    capabilities = [ "create", "update", "read", "delete", "list" ]
}

This policy fulfills the policy requirement 1.

Next, open the group-tmpl.hcl file and enter the following policy rules in the editor:

# Grant permissions on the group specific path
# The region is specified in the group metadata
path "group-kv/data/education/{{identity.groups.names.education.metadata.region}}/*" {
    capabilities = [ "create", "update", "read", "delete", "list" ]
}

# Group member can update the group information
path "identity/group/id/{{identity.groups.names.education.id}}" {
  capabilities = [ "update", "read" ]
}

This policy fulfills the policy requirement 2 and 3.

Deploy Policies

Login with root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root

Execute the following command to create user-tmpl policy:

vault policy write user-tmpl user-tmpl.hcl

Similarly, execute the following command to create group-tmpl policy:

vault policy write group-tmpl group-tmpl.hcl

List the available policies to verify:

vault policy list

To clear the screen: clear