I have path with it-dba/secrets which contains all db passwords.
like
{
apps : xxxxx
soa_infra: xxxxx
osb: xxx
}
how to create policy to restrict to access only only key like “apps” .
Is it possible in vault.
will this work.?
path “it-dba/secrets”
{
capabilities = [“read”,“list”]
allowed_parameters = {
"apps" = []
}
}
Please help.
My request is on access the existing key. Not writing the new data to the secret.
Also would like to know if this is possible
Yes please let me know will try.
Did you ever find out if this possible ?
I don’t believe this is possible as described.
You could structure your secrets different such as:
it-dba/secrets/apps/<app_name>/<secret_name>
This would allow you to permission based on app name, individual secret, or common prefix.
# Allow reading of app app1 secrets
path "it-dba/secrets/apps/app1/*" {
capabilities = ["read", "list"]
}
# Allow reading of my_secret
path "it-dba/secrets/apps/app1/my_secret" {
capabilities = ["read"]
}
# Allow reading of secrets with prefix of "my"
path "it-dba/secrets/apps/app1/my*" {
capabilities = ["read"]
}
I find the best approach is that each secret you create should have common key names (e.g. username, password, key, etc.) and organized in a way that facilitates the ACL capabilities and your access delegation needs.