Minimal policy for Vault servers with Consul as backend

franc01s · November 19, 2019, 8:54am

Hello,

I try to integrate Consul backend with vault server.
It works fine using acl_master_token in vault configuration but I cannot use a specific token attached to policy looking like:

key "vault/" {
  policy = "write"
}  
service "vault" {
  policy = "write"
}

I always get

Nov 18 18:22:39 vault-tst1 consul[17323]:     2019/11/18 18:22:39 [DEBUG] http: Request GET /v1/kv/vault/core/migration (1.457785ms) from=172.17.0.2:47246
Nov 18 18:22:40 vault-tst1 consul[17323]:     2019/11/18 18:22:40 [DEBUG] manager: Rebalanced 3 servers, next active server is consul-tst3 (Addr: tcp/10.238.224.123:8300) (DC: dc1)
Nov 18 18:22:41 vault-tst1 consul[17323]:     2019/11/18 18:22:41 [ERR] consul: "KVS.Get" RPC failed to server 10.238.224.123:8300: rpc error making call: rpc error making call: Permission denied
Nov 18 18:22:41 vault-tst1 consul[17323]:     2019/11/18 18:22:41 [DEBUG] manager: cycled away from server "consul-tst3"
Nov 18 18:22:41 vault-tst1 consul[17323]:     2019/11/18 18:22:41 [ERR] http: Request GET /v1/kv/vault/core/migration, error: rpc error making call: rpc error making call: Permission denied from=172.17.0.2:47248

What is the minimal policy I have to attach?

Any clues appreciated
François

vasilij-icabbi · November 19, 2019, 2:14pm

Hi,

The minimal policy I used was:

key_prefix "locks/vault-server-init/" { 
 policy = "write" 
} 

key_prefix "vault/" { 
  policy = "write" 
} 

node "Vault-Server-10.127.5.28" 
{ 
  policy = "write" 
} 

service "vault-server" { 
  policy = "write" 
} 

agent "Vault-Server-10.127.5.28" { 
  policy = "write" 
} 

session_prefix "" { 
  policy = "write" 
}

I think I copied it somewhere from Vault documentation and amended a bit to support least permisive approach.

franc01s · November 20, 2019, 4:18pm

Hi,

Thanks.

key_prefix "vault/" { 
  policy = "write" 
}

get this working