Best practices on mounts and paths

Hi everyone,

Curious to see what are the best practices and approaches you took to define your Hashicorp Vault mounts and paths?

I know the config is quite depending on the work you deal with however, it would be nice to have a generic default.

Cheers

One thing that I learned somewhat recently is that mount paths may contain / characters. Other people I’ve worked with had used /'s in mount paths for organization and easier policy management. (e.g. my_team/kv).

Example (overly simplistic) policy:

path "my_team/+/creds/*" {
  capabilities = ["read"]
}

Be mindful of using that method and namespaces as root namespace policies could grant access to paths in the root and child namespace in a single policy. For example the following policy could grant access to a kv mount in the root namespace called my_team/kv as well as a mount called “kv” in a namespace called “my_team”:

path "my_team/kv/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

Another thing to keep in mind is the maximum number of mounts that can be configured for your instance. The Limits and Maximums | Vault by HashiCorp guide is very helpful for this and may help shape your strategy.

1 Like