Preflight error with templated policy

Vault
1

I’m trying to use templated policies to substitute token metadata for policy paths. But I’m running into a strange error, hoping someone can point out what I’ve done wrong.

Start with a fresh 1.7.0 vault: vault server -dev

Using the root token, I did some initial setup:

$ vault policy read literal
path "secret/+/cicd/rvandegrift/*" {
  capabilities = ["list", "read"]
}
$ vault policy read template
path "secret/+/cicd/{{identity.entity.metadata.namespace}}/*" {
  capabilities = ["list", "read"]
}
$ vault kv list secret/cicd/rvandegrift
Keys
----
secret
$ vault kv get secret/cicd/rvandegrift/secret
====== Metadata ======
Key              Value
---              -----
created_time     2021-04-13T23:10:35.265532714Z
deletion_time    n/a
destroyed        false
version          1

==== Data ====
Key     Value
---     -----
wooo    yeah

Now, issue two tokens to test the policies:

$ literal_token=$(vault token create \ 
        -policy=default \
        -policy=literal \
        -metadata=namespace=rvandegrift \
        -field=token)
$ template_token=$(vault token create \
        -policy=default \
        -policy=template \
        -metadata=namespace=rvandegrift \
        -field=token)

literal_token works as expected:

$ VAULT_TOKEN=$literal_token vault kv list secret/cicd/rvandegrift
Keys
----
secret
$ VAULT_TOKEN=$literal_token vault kv get -field=wooo secret/cicd/rvandegrift/secret
yeah

But the template_token does not:

$ VAULT_TOKEN=$template_token vault kv list secret/cicd/rvandegrift/secret
Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/cicd/rvandegrift/secret
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "secret/cicd/rvandegrift/secret/"
$ VAULT_TOKEN=$template_token vault kv get secret/cicd/rvandegrift/secret
Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/cicd/rvandegrift/secret
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "secret/cicd/rvandegrift/secret/"

I don’t understand the error message above - if I understood the templated policy correctly, it does permit access to those paths. But also, that’s not the usual 403 permission denied error. So what’s up with that?

2

Here’s what I missed - templated policies require creating entities and aliases, and attaching metadata to the entities/aliases. The metadata in the policy template is, unfortunately, unrelated to token metadata.

I was hoping to use jwt claims as metadata in templated policies, but as far I can tell, that’s not possible without: Token metadata support for policy template · Issue #10460 · hashicorp/vault · GitHub

Just for completeness, I thought this would do the trick:

$ vault write identity/entity name=my-entity policies=template metadata=namepsace=rvandegrift
Key        Value
---        -----
aliases    <nil>
id         7f117247-c380-7f93-a0d1-434d9fbc145e
name       my-entity
$ vault write identity/entity-alias name=my-entity-alias canonical_id=7f117247-c380-7f93-a0d1-434d9fbc145e mount_accessor=auth_token_081f9242
Key             Value
---             -----
canonical_id    7f117247-c380-7f93-a0d1-434d9fbc145e
id              c878a036-b965-0788-055c-d1e67b135f4f
$ vault write auth/token/roles/my-token-role allowed_entity_aliases=my-entity-alias allowed_policies=template
Success! Data written to: auth/token/roles/my-token-role
$ vault token create -entity-alias=my-entity-alias -role=my-token-role
Key                  Value
---                  -----
token                s.w4lBlLNpyR3XdpdCO45MZo2D
token_accessor       CpIpHsqywvLcP2GS4nTfpS16
token_duration       768h
token_renewable      true
token_policies       ["default" "template"]
identity_policies    ["template"]
policies             ["default" "template"]
$ VAULT_TOKEN=s.w4lBlLNpyR3XdpdCO45MZo2D vault token lookup
Key                            Value
---                            -----
accessor                       CpIpHsqywvLcP2GS4nTfpS16
creation_time                  1618422488
creation_ttl                   768h
display_name                   token
entity_id                      7f117247-c380-7f93-a0d1-434d9fbc145e
expire_time                    2021-05-16T10:48:08.377983528-07:00
explicit_max_ttl               0s
external_namespace_policies    map[]
id                             s.w4lBlLNpyR3XdpdCO45MZo2D
identity_policies              [template]
issue_time                     2021-04-14T10:48:08.377992322-07:00
meta                           <nil>
num_uses                       0
orphan                         false
path                           auth/token/create/my-token-role
policies                       [default template]
renewable                      true
role                           my-token-role
ttl                            767h51m52s
type                           service

But that still doesn’t work:

$ VAULT_TOKEN=s.w4lBlLNpyR3XdpdCO45MZo2D vault kv get secret/cicd/rvandegrift/secret
Error making API request.

URL: GET http://localhost:8200/v1/sys/internal/ui/mounts/secret/cicd/rvandegrift/secret
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "secret/cicd/rvandegrift/secret/"
1 Like