I’m confused about how one of the PKI engine’s permission behaviors is implemented. tldr, why can’t a non-root token delete the CA within a PKI engine it otherwise has complete access to?
Say you create a PKI engine with a token limited just to managing (ie, all perms) PKI engines under a certain path. With that token you can mount the engine, generate a CA, configure roles, etc.
There’s one thing the limited token can’t do: delete the CA cert itself, via DELETE to {pki_path}/root
. Explicitly adding permission to this path for a non-root token still results in a 403 from the API. This looks intentional based on the docs - https://www.vaultproject.io/api/secret/pki/index.html#delete-root
But, if the limited token can delete the mount path, it can be used to delete the PKI engine itself, recreate it, and regenerate a new CA, and this is the workaround I’m using.
Of course, the token shouldn’t have the delete permission if you don’t want this to happen, but I don’t understand why an admin can’t grant permission to delete a CA if they so choose. Can someone help explain?