Best practices for "admin" policy?

alexey-gusarov · July 26, 2020, 2:50pm

Hello! Are there best practices for “admin” policy?

I use this policy:

path "*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

It’s good?

Wolfsrudel · July 26, 2020, 4:24pm

Check this one:

philovivero · October 2, 2020, 8:51pm

Is there a simpler policy? I have an admin policy that started like the one linked by Wolfsrudel, but it didn’t provide access to everything. So I kept adding things, until I got to an AppRole that had been created by one of our users, and it specified only “read”, so now I have to manually add a bunch more things.

What I want is a simple policy that simply says: ANYTHING, EVERYTHING complete access.

Is there such a thing?

philovivero · October 2, 2020, 11:04pm

Here is what I finally came up with. Add into your policy for those who need to become admins this:

path "auth/token/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

Then, after assuming the policy with that line, issue this:

vault login $( vault write -f /auth/token/create-orphan ttl=1h policies=admin \
  | grep '^token   ' | awk '{print $2}' )

Topic		Replies	Views
Tutorial: Vault Policy update Vault	0	278	September 28, 2020
Vault admin policy Vault	3	3431	May 21, 2022
Create a policy to list/read/update/create all secrets Vault	2	390	April 10, 2020
Implementing general RBAC using Vault Policies Vault	1	669	April 4, 2020
Policy to create tokens Vault	2	1044	October 13, 2021

Best practices for "admin" policy?

Related topics