I was surprised to find out that as an unauthenticated user, VAULT_ADDR=https://<Vault_URL> vault status works and gives me the full status information about the cluster. This may also mean that some other endpoints under /sys/ are accessible when not authenticated.
I have double-checked that I did not have VAULT_TOKEN set in my environment. I have also checked vault auth list right after, which resulted in a permission denied as expected.
Would a Deny policy on /sys/* be a solution to lock it down?
Forgive my ignorance; I am new to Vault policies, but in this case what should be the policy subject to make it apply to every unauthenticated principal? I’d appreciate a snippet.
edit: Perhaps this needs to be open in order for the authentication to work in the first place? What’s the most security-conservative configuration that wouldn’t break things?