Policy for /pki/issuer/:issuer_ref

Vault
,
1

Hi!

Terraform trying to update pki issuer’s crl url and it faces a problem

Error: error updating issuer data at “pki-test/issuer/9c9d6f9d-bf54-a8f8-48dc-96496a7cf480”, err=Error making API request.

│ URL: PATCH https://vault.company.com/v1/pki-test/issuer/9c9d6f9d-bf54-a8f8-48dc-96496a7cf480
│ Code: 403. Errors:

│ * 1 error occurred:
│ * permission denied

I tried all the acl paths i can imagine

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "pki-test/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "pki-test/issuer/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "pki-test/issuer/9c9d6f9d-bf54-a8f8-48dc-96496a7cf480" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

And all available key words, nothing works
I am sure that it is correct endpoint, but I can’t find propreate policy

Can anyone helps me with that?

2

Hello!

From your error message it appears Terraform is performing a PATCH operation. Can you try adding the patch capability to the list of capabilities within the policy?

The list of capabilities include the following:

  • create (POST/PUT) - Allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.
  • read (GET) - Allows reading the data at the given path.
  • update (POST/PUT) - Allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.
  • patch (PATCH) - Allows partial updates to the data at a given path.
  • delete (DELETE) - Allows deleting the data at the given path.
  • list (LIST) - Allows listing values at the given path. Note that the keys returned by a list operation are not filtered by policies. Do not encode sensitive information in key names. Not all backends support listing.

In addition to the standard set, there are some capabilities that do not map to HTTP verbs.

  • sudo - Allows access to paths that are root-protected. Tokens are not permitted to interact with these paths unless they have the sudo capability (in addition to the other necessary capabilities for performing an operation against that path, such as read or delete).For example, modifying the audit log backends requires a token with sudo privileges.
  • deny - Disallows access. This always takes precedence regardless of any other defined capabilities, including sudo.
  • subscribe - Allows subscribing to events for the given path.
  • recover - Allows recovering the data on the given path from a snapshot
1 Like
3

Thank you so much, i missed that capability

1 Like