Policy access to move secrets endpoints

Vault
1

Dear hashicorp community,

I would like to modify a policy so tokens under it can move secrets from one path to another. I have added this to the policy path "sys/remount" { capabilities = ["update", "sudo"] } but this gives user permission to move any secrets under any path. How can I restrict this so user can only move secrets under test path? for instance be able to do vault secrets move test/kv test/new-kv

thank you very much

2

Hey!

Have a look at the allowed_parameters parameter for your policy. You can specify here which paths can be moved from and which can be moved to.

For example:

path "sys/remount" {
   capabilities = ["update", "sudo"] 
   allowed_parameters = {
     "from" = ["test/*"]
     "to" = ["test/*"] 
  }
}
3 Likes
3

thank you, that solved the issue

1 Like