Capability to enable secret engine

josedev-union · January 7, 2021, 5:57pm

Which path and capability needed to enable secret engine?

Expectation is:
For example,

path "/mysecret/*" {
    ["create", "read", "update", "delete", "list", "sudo"]
}

If I have this policy, then I can enable any secret engine on /mysecret/* path.

But now permission denied.

mgritter · January 7, 2021, 6:30pm

The API used to create mount points is sys/mounts/:path:

You will need to give create access to sys/mounts/mysecret/* in order to enable mount points under mysecret. The documentation does not indicate that “sudo” is necessary (as it is to add an auth method.)

josedev-union · January 7, 2021, 7:39pm

Thank you @mgritter
It works perfectly.