Can you use a policy to allow only specifics keys

I’m trying to use the allowed_parameters bit of a policy to control the names of key/values pairs. see image. Is this possible if so what am i missing

Hi @simon,

it looks like required_parameters, allowed_parameters and denied_parameters are not supported on kv-v2:

If you are running Vault Enterprise then you may use Sentinel to control the content.

Here’s an example EGP policy that I built out a while back. Note that you will need to replace the ${valid_keys} variable with your desired values.

import "strings"

# A list of valid keys for this path
param valid_keys default ${valid_keys}

is_valid_key = func() {
  # Print some debugging info
  print("Namespace path:", namespace.path)
  print("Request path:", request.path)
  print("Request data:", request.data)

  for request.data.data as key {
    if !(valid_keys contains key) {
      print(key, "not contained within", valid_keys)
      # Found an invalid key name - mark update as invalid
      return false
    }
  }
  return true
}

precond = rule {
  # Only apply the rule when writing a secret
  request.operation == "create" or request.operation == "update"
}

main = rule when precond {
  # Call function to determine validity of the keys in the request
  is_valid_key()
}

Thank you for the responses .

So there is no way to do that for free on kv-v2? It’s not just a different command?

No, not to my knowledge.