Hi everyone,
I’d like to receive encrypted files and messages from arbitrary users, without access to my Vault instance, using transit keys stored in Vault.
That means: When I create a transit rsa-4096 key in Vault, that key has several methods, including encryption (which only requires a public key) and decryption (which requires a secret key).
I’d like to grant any anonymous user read access to my public key, so they can use it to encrypt messages to me without the need for a login to my Vault instance, while only me (and permitted users) can decrypt the message thanks to the access permission to the private key.
I Googled and found this approach: Anonymous ACL policy · Issue #2482 · hashicorp/vault · GitHub
I tried to raise my question to that GitHub Thread already, but since that is closed for some years now already, I don’t have too much hope for an answer …
Unfortunately, this does not seem to work for me. This is what I have done:
First, I enabled the approle auth method:
❯ vault auth enable approle
Success! Enabled approle auth method at: approle/
Next, I created a policy called anonymous_access_to_sops_encrypt :
# See https://github.com/hashicorp/vault/issues/2482#issuecomment-633748925
# This is a policy designed to only be associated with an anonymous user
# app-role.
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}
# Allow a token to unwrap a response-wrapping token. This is a convenience to
# avoid client token swapping since this is also part of the response wrapping
# policy.
path "sys/wrapping/unwrap" {
capabilities = ["update"]
}
# Allow general purpose tools
path "sys/tools/hash" {
capabilities = ["update"]
}
path "sys/tools/hash/*" {
capabilities = ["update"]
}
# Grant Read Access to "sops/encrypt"
path "sops/encrypt/*" {
capabilities = ["read"]
}
Finally, I created the anonymous approle:
❯ vault write auth/approle/role/anonymous \
role_id=anonymous \
bind_secret_id=false \
token_bound_cidrs=0.0.0.0/32 \
token_no_default_policy=true \
token_policies=anonymous_access_to_sops_encrypt
Success! Data written to: auth/approle/role/anonymous
Unfortunately, this is the result:
❯ vault write auth/approle/login role_id=anonymous
Key Value
--- -----
token hvs.CAESIIClI2TD...
token_accessor hHI4ZGd89...
token_duration 768h
token_renewable true
token_policies ["anonymous_access_to_sops_encrypt"]
identity_policies []
policies ["anonymous_access_to_sops_encrypt"]
token_meta_role_name anonymous
❯ export VAULT_TOKEN="hvs.CAESIIClI2TD..."
❯ vault token lookup
Error looking up token: Error making API request.
URL: GET https://my-vault:8200/v1/auth/token/lookup-self
Code: 403. Errors:
* permission denied
What am I missing?
It seems as if the anonymous_access_to_sops_encrypt policy is not evaluated as expected here, since part of that is to enable the token lookup (first rule):
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}