Re: How to restrict the User from extending the path

Maitheen786 · August 25, 2022, 1:51am

Hello,

When user entering credentials in Hashicorp Vault UI, how do you prevent the user from extending the path?

My ACL Police:

path “provision/" {
capabilities = [“list”]
}
path "provision/data/+/azrscmbi/dev” {
capabilities = [“create”, “read”, “update”, “patch”, “delete”, “list”]
}

Here, the user can extend the path on his own. At the same time, I want him to be able to store credentials on the path which I provide in the policy. However, I don’t want him to be able to extend the path. The user would be allowed to create a file for storing the key and value, according to the path I specify in the policy

When I remove the Create from the capabilities, user was unable to create a file to store the key and value. My goal is to restrict only the creation of folders.

Thanks!!

maxb · August 25, 2022, 6:44am

The policy you have posted doesn’t allow that.

You must have other policies granting more access.

Maitheen786 · August 26, 2022, 10:40am

Nope, I am damn sure. Because there is no other policy in my vault server.

maxb · August 26, 2022, 11:02am

Perhaps special characters in your policy have been interpreted as formatting codes by the forum software, and removed.

Please check, and repost it as a code block (```)

Maitheen786 · August 29, 2022, 1:26am

Nope, I tried it does not work. Is there another way to achieve this?

maxb · August 29, 2022, 9:55am

I stand by what I previously said.