Read policy to key allows write access


I have the following policy:

ID:           d46a887a-8244-8483-59f7-d34ac9961d78
Name:         node-xp
node_prefix "consul-client" {
	policy  = "read"

node_prefix "" {
	policy = "read"

key "consul-client-1/authorized_keys" {
	policy = "read"

The token associated with this policy is used by consul-template to update the ssh authorized keys file.
So my question is simple: I don’t understand why consul-template can change this key when the policy is set to ‘read’. If I comment that stanza altogether or set it to ‘deny’, I immediately get the natural response:

May 10 15:14:45 consul-client-1 consul-template[24366]: 2022-05-10T15:14:45.008Z [WARN] (view) kv.block(consul-client-1/authorized_keys): Unexpected response code: 403 (retry attempt 8 after "32s")

What am I missing here?

Actually I’ve mixed things up. consul-template isn’t writing anything to the kv store, it’s only reading the keys there and it’s writing the content into the authorized_keys file.

So this behaviour is perfectly logical, actually. Sorry for the confusion :slight_smile:

1 Like