Can you use a policy to allow only specifics keys

simon · July 23, 2021, 2:41pm

I’m trying to use the allowed_parameters bit of a policy to control the names of key/values pairs. see image. Is this possible if so what am i missing

fhemberger · July 23, 2021, 3:13pm

Hi @simon,

it looks like required_parameters, allowed_parameters and denied_parameters are not supported on kv-v2:

github.com/hashicorp/vault

KV version 2 seems to deny request with allowed_parameter policies

opened 12:43PM - 16 Apr 18 UTC

HT43-bqxFqB

enhancement secret/kv

**Environment:** * Vault Version: 0.10.0 * Operating System/Architecture: Ce…ntOS 7 **Vault Config File:** ```hcl { "backend": { "file": { "path": "/var/lib/vault" } }, "default_lease_ttl": "24h", "listener": { "tcp": { "address": "0.0.0.0:8200", "tls_cert_file": "/etc/vault/cert.pem", "tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "tls_key_file": "/var/lib/vault/tls/certificate.key", "tls_min_version": "tls12", "tls_prefer_server_cipher_suites": "true" } }, "max_lease_ttl": "817600h", "ui": "true" } ``` **Expected Behavior:** ACL with allow_parameters should allow kv creation: ```hcl # kv version 2 path "sec/data/*" { capabilities = [ "create", "list", "update", "read", "delete" ] allowed_parameters = { "password" = [] "url" = [] }, } ``` **Actual Behavior:** ``` vault kv put se/server/xyz.domain.com/user/root password=PA55W00RD Error writing data to se/server/xyz.domain.com/user/root: Error making API request. URL: PUT https://vault:8200/v1/sec/data/server/xyz.domain.com/user/root Code: 403. Errors: * permission denied ``` The put request only works when the `allowed_parameter` part in the hcl is removed and the policy is updated. **Steps to Reproduce:** * Create kv `vault secrets enable -path=sec -version=2 kv` * Create policy with allowed_parameters * Create kv pair -> permission denied * Overwrite policy without `allowed_parameters` * Create kv pair -> success

jeffsanicola · July 23, 2021, 3:16pm

If you are running Vault Enterprise then you may use Sentinel to control the content.

Here’s an example EGP policy that I built out a while back. Note that you will need to replace the ${valid_keys} variable with your desired values.

import "strings"

# A list of valid keys for this path
param valid_keys default ${valid_keys}

is_valid_key = func() {
  # Print some debugging info
  print("Namespace path:", namespace.path)
  print("Request path:", request.path)
  print("Request data:", request.data)

  for request.data.data as key {
    if !(valid_keys contains key) {
      print(key, "not contained within", valid_keys)
      # Found an invalid key name - mark update as invalid
      return false
    }
  }
  return true
}

precond = rule {
  # Only apply the rule when writing a secret
  request.operation == "create" or request.operation == "update"
}

main = rule when precond {
  # Call function to determine validity of the keys in the request
  is_valid_key()
}

simon · July 23, 2021, 3:28pm

Thank you for the responses .

neekaw · January 24, 2024, 8:27am

So there is no way to do that for free on kv-v2? It’s not just a different command?

jeffsanicola · January 25, 2024, 12:54am

No, not to my knowledge.

Topic		Replies	Views
Restricting access to key+value pairs using policies Vault	5	539	September 7, 2020
Vault Policy Question Vault vault	6	1652	December 17, 2020
Key and value limits for key value pairs Vault kv , vault	2	1511	March 6, 2022
ACL Policy - permission denied Vault	3	1274	November 9, 2021
Check what version of kv secret Vault vault	6	1028	October 24, 2022

Can you use a policy to allow only specifics keys

Related topics