PKI Engine CA DELETE behavior

I’m confused about how one of the PKI engine’s permission behaviors is implemented. tldr, why can’t a non-root token delete the CA within a PKI engine it otherwise has complete access to?

Say you create a PKI engine with a token limited just to managing (ie, all perms) PKI engines under a certain path. With that token you can mount the engine, generate a CA, configure roles, etc.

There’s one thing the limited token can’t do: delete the CA cert itself, via DELETE to {pki_path}/root. Explicitly adding permission to this path for a non-root token still results in a 403 from the API. This looks intentional based on the docs - https://www.vaultproject.io/api/secret/pki/index.html#delete-root

But, if the limited token can delete the mount path, it can be used to delete the PKI engine itself, recreate it, and regenerate a new CA, and this is the workaround I’m using.

Of course, the token shouldn’t have the delete permission if you don’t want this to happen, but I don’t understand why an admin can’t grant permission to delete a CA if they so choose. Can someone help explain?

You can grant permissions to a token with the sudo capability [1]. The example you give around creating/removing mounts is usually only given to a very small subset of tokens where policy administrators are much more likely to grant all operations to a given mount to users (least privilege is still the best course of action). This just puts an extra capability requirement around very sensitive operations within a mount.

[1] https://www.vaultproject.io/docs/concepts/policies.html#sudo

Oh! Great, so it’s just an anti-foot-gunning thing. Thank you for the clarification, Chris!