Token capabilities either wrongly calculated from policy or docs are wrong

The-Judge · July 17, 2024, 7:31am

Hi everyone,

I am new to Vault and just doing the Tutorial on Vault policies.
As another user stated in 2020 (without a single reply), the tutorial provides HCL code, which creates an “admin” policy and shows how to create a token with that policy applied.

In the “Check token capabilities” of that tutorial, the command vault token capabilities $ADMIN_TOKEN sys/auth/approle shows the following capabilities:

create, delete, read, sudo, update.

When I do the same on my vault 1.17.2, that command shows the following capabilities:

create, delete, sudo, update
(read missing).

Looking at the admin policy definition, I’m unsure if this is a bug in the tutorial or in my version of vault, since read seems to be defined for the path sys/auth only, not for sys/auth/*:

# Read system health check
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at  path

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

I’d like to report this as an issue for either the capabilities evaluation in vault 1.17.2 or to fix the tutorial.
Can you guys tell me which one is the real issue?

Best regards,
Marc

Topic		Replies	Views
Tutorial: Vault Policy update Vault	0	274	September 28, 2020
Help to understand how to create tokens Vault	0	270	March 9, 2021
Non root token that can create new tokens with newly created policy Vault	5	319	March 15, 2023
Need clarification on policies Vault	7	699	April 13, 2021
Vault admin policy Vault	3	3240	May 21, 2022

Token capabilities either wrongly calculated from policy or docs are wrong

Related topics