Hi everyone,
Curious to see what are the best practices and approaches you took to define your Hashicorp Vault mounts and paths?
I know the config is quite depending on the work you deal with however, it would be nice to have a generic default.
Cheers
One thing that I learned somewhat recently is that mount paths may contain / characters. Other people I’ve worked with had used /'s in mount paths for organization and easier policy management. (e.g. my_team/kv).
Example (overly simplistic) policy:
path "my_team/+/creds/*" {
capabilities = ["read"]
}
Be mindful of using that method and namespaces as root namespace policies could grant access to paths in the root and child namespace in a single policy. For example the following policy could grant access to a kv mount in the root namespace called my_team/kv as well as a mount called “kv” in a namespace called “my_team”:
path "my_team/kv/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
Another thing to keep in mind is the maximum number of mounts that can be configured for your instance. The Limits and Maximums | Vault by HashiCorp guide is very helpful for this and may help shape your strategy.