Policies and globbing

SatyrTrickster · November 7, 2019, 2:54pm

Hi! I got confused by Vault documentation & issue tracker contradicting each other, could someone please help?
In docs for policies https://www.vaultproject.io/docs/concepts/policies.html it says I can do the following

# Permit reading the "teamb" path under any top-level path under secret/
path "path/to/my/+/teamb" {
  capabilities = ["read"]
}

Which fits the bill for my case. However, it has no effect (no capabilities from this policy are applied to ‘teamb’ - when I do ‘token capabilities path/to/my/service_name/teamb’, there is no ‘Read’ which should’ve been applied by the policy above).

Now, I’ve seen quite a few closed issues on github saying that globbing is not supported at all and there are no plans for it.

So, question is: can I provide capabilities to a specific secret under different ‘parent’ folders?

yhyakuna · November 7, 2019, 4:45pm

I tested with K/V v2 and “+” works. You can try --> https://www.katacoda.com/hashicorp/scenarios/vault-policies

My policy looks like:

path "secret/data/+/apikey" {
   capabilities = ["create", "read", "update", "delete"]
}

And the following command works.

$ vault kv get secret/team-eng/apikey

If you are using Identity Entities or Groups, use ACL Templating is another option.

Hope this helps.

Topic		Replies	Views
Need clarification on policies Vault	7	709	April 13, 2021
Understanding Vault policies behavior Vault	2	362	November 16, 2019
Not understanding Vault policies for secret paths Vault	8	2789	June 7, 2021
Policy issues using sub folder permissions Vault	2	2462	March 1, 2021
Is policy limited for engine level only or all path & sub-path? Vault vault , policy-as-code	5	982	May 24, 2022

Policies and globbing

Related topics