Greetings,
I’m new to Vault, trying to figure out the how ACL works. I have the 1.17.5 running.
I get the following:
# vault token capabilities sys/internal/ui/mounts
deny
Tho when I run vault read sys/internal/ui/mounts it shows me the actual result instead of permission denied error message.
Is that intentional? Is there a way to restrict sys/internal/ui/mounts usage?
Can you please share the policies attached to the token you are using?
If you are new to Vault, I would also suggest running through our new tutorials:
Let me know about your token/policies and also let me know if you go through the tutorials and have any feedback on how to improve them.
let me know if you go through the tutorials and have any feedback on how to improve them
The docs are super useful, thanks!
Can you please share the policies attached to the token you are using?
I don’t have access to that, the vault server I’m playing with is not mine, just trying to learn new stuff. The closes info I can get is
vault read sys/internal/ui/resultant-acl --format=json
{
"request_id": "a9dbaa2a-bb69-ff18-fbf9-8157c08c5742",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"chroot_namespace": "",
"exact_paths": {
"auth/token/lookup-self": {
"capabilities": [
"read"
]
},
"auth/token/renew-self": {
"capabilities": [
"update"
]
},
"auth/token/revoke-self": {
"capabilities": [
"update"
]
},
"identity/entity/id/d2794c98-4722-6a4e-a86a-0a41cc335f62": {
"capabilities": [
"read"
]
},
"identity/entity/name/entity_8d6b8c14": {
"capabilities": [
"read"
]
},
"sys/capabilities-self": {
"capabilities": [
"update"
]
},
"sys/control-group/request": {
"capabilities": [
"update"
]
},
"sys/internal/ui/resultant-acl": {
"capabilities": [
"read"
]
},
"sys/leases/lookup": {
"capabilities": [
"update"
]
},
"sys/leases/renew": {
"capabilities": [
"update"
]
},
"sys/renew": {
"capabilities": [
"update"
]
},
"sys/tools/hash": {
"capabilities": [
"update"
]
},
"sys/wrapping/lookup": {
"capabilities": [
"update"
]
},
"sys/wrapping/unwrap": {
"capabilities": [
"update"
]
},
"sys/wrapping/wrap": {
"capabilities": [
"update"
]
}
},
"glob_paths": {
"cubbyhole/": {
"capabilities": [
"create",
"delete",
"list",
"read",
"update"
]
},
"secret/data/test/storage/": {
"capabilities": [
"read"
]
}
"secret/metadata/test/storage/": {
"capabilities": [
"list",
"read"
]
},
"sys/tools/hash/": {
"capabilities": [
"update"
]
}
},
"root": false
},
"warnings": [
"Endpoint ignored these unrecognized parameters: [--format]"
]
}
Tho does it matter since vault token capabilities sys/internal/ui/mounts returns deny? I’m specifically couriouse why I’m getting deny while I can read it. Is this somehow related to sys/internal/ui/mounts being unauthenticated endpoint ?
My apologies on the policy question, asking for it is my knee jerk reaction to access type questions but thank you for sharing. I will have to dig deeper on that specific endpoint.
Also, you mentioned youre using someone else’s Vault instance. You can run it locally on your machine, mess around, break it, whatever and when you restart youre back at a clean state if you use dev mode with in memory storage.