I’m new to Vault, and I’m trying to setup Vault to connect to active directory, and allow a specific group to manage (create, update, read, delete) a Key/Value v2 engine named ‘sandbox’.
I have the LDAP side working, as I’m able to sign in via vault login -method=ldap
and I get back a good token.
vault login -method=ldap
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token xxxxxxxxxxxxxxxxxxxxxxxxxxxx
token_accessor xxxxxxxxxxxxxxxxxxxxxxxxxxxx
token_duration 10h
token_renewable true
token_policies ["default" "policy-vault-sandbox"]
identity_policies []
policies ["default" "policy-vault-sandbox"]
token_meta_username mdelaney
I have a policy called policy-vault-sandbox
which is defined as:
cat <<EOF | vault policy write policy-vault-sandbox -
path "secret/sandbox/*" {
capabilities = ["create", "update", "read", "delete"]
}
EOF
This all seems fine, but when I sign into the UI the sandbox
engine doesn’t show up, and when try via vault list secret/sandbox/
, I get a permission denied error.
What am I doing wrong?
- Mike D.