Hello! Are there best practices for “admin” policy?
I use this policy:
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
It’s good?
Check this one:
1 Like
Is there a simpler policy? I have an admin policy that started like the one linked by Wolfsrudel, but it didn’t provide access to everything. So I kept adding things, until I got to an AppRole that had been created by one of our users, and it specified only “read”, so now I have to manually add a bunch more things.
What I want is a simple policy that simply says: ANYTHING, EVERYTHING complete access.
Is there such a thing?
Here is what I finally came up with. Add into your policy for those who need to become admins this:
path "auth/token/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
Then, after assuming the policy with that line, issue this:
vault login $( vault write -f /auth/token/create-orphan ttl=1h policies=admin \
| grep '^token ' | awk '{print $2}' )