Use Vault Policy Password created by administrator

GarsDuCalvados · March 11, 2022, 9:08am

Hi,

I have suceesfully created a policy for generated password in VAULT.

When i use this policy to generate a password with a administrator token, it works

[root@srv-test tmp]# curl \
   --header "X-Vault-Token: s.HIUYHUOUHxKpDTHIU87QJS" \
   https://vault-srv:8200/v1/sys/policies/password/pwd_test_policy/generate
   
{"request_id":"3a8991c2-02f3-ed01-8b7b-25bdd3949a8b","lease_id":"","renewable":false,"lease_duration":0,"data":{"password":"0OoJ*!wfc5HIrCuD$g1s"},"wrap_info":null,"warnings":null,"auth":null}

But when i tried to use this policy with a non vault administrator token, i get this message
Permission denied

Can you help me please ?

Thanks for your help,

Matt

aram · March 11, 2022, 1:11pm

What are you doing in “trying” please provide the command the full error

GarsDuCalvados · March 11, 2022, 1:22pm

Hi,

The test with a token from an non administrator of Vault

[root@srv-test  ~]# curl \
>    --header "X-Vault-Token: s.Jio786jhkjhoihilnIx6i" \
>    https://vault-srv:8200/v1/sys/policies/password/pwd_test_policy/generate
{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

Thanks,
Matt

aram · March 12, 2022, 9:16am

That’s probably just a missing policy in your token’s assigned policy.

With a admin token (or root token)

# vault token capabilities s.Jio786jhkjhoihilnIx6i sys/policies/password/pwd_test_policy/
deny

Which means you need to add a policy statement:

path "sys/policies/password/pwd_test_policy/*" {
   capabilities = [ "read" ]
}

GarsDuCalvados · March 14, 2022, 11:34am

Hi,
Is there a way to do that by API ?
Thank you for your help,

Matt

GarsDuCalvados · March 14, 2022, 11:36am

Hi,
I found this in the documentation but i don’t know how to build the json fil to configure read on my policy password.

Matt

aram · March 14, 2022, 12:54pm

$ vault token capabilities -output-curl-string s.Jio786jhkjhoihilnIx6i sys/policies/password/pwd_test_policy/
curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"path":"sys/policies/password/pwd_test_policy/","token":"s.Jio786jhkjhoihilnIx6i"}' https://vault:8200/v1/sys/capabilities

GarsDuCalvados · March 14, 2022, 1:35pm

Hi,
I don’t understand your command.
I don’t see READ (for use) permission to use the policy that generate password.

Thanks,
Matt

aram · March 14, 2022, 2:01pm

sys/capabilities does not modify your policy. It checks a token against a path to see what the resulting permissions are for that token with the policies it has.

You have to use sys/policies/acl to read and write your policy … there is no “update” AFAIK.

GarsDuCalvados · March 15, 2022, 8:06am

Hi,

Thank you for your explanations.

I have created an ACL policy for my password policy path like this.

Content of json file for the ACL policy creation :

{
  "policy": "path \"sys/policies/password/pwd_test_policy/\"\n{\n  capabilities = [\"list\"]\n}"
}

Creation of the ACL policy :

curl \
    --header "X-Vault-Token: s.dfgdgdgfgIOYT86887HK" \
    --request POST \
    --data @test_vault_policy.json \
	https://vault-srv.fr:8200/v1/sys/policies/acl/pwd_test_policy

Display the ACL Policy :

curl \
    --header "X-Vault-Token: s.dfgdgdgfgIOYT86887HK" \
    https://vault-srv:8200/v1/sys/policies/acl/pwd_test_policy

{"request_id":"ebcb09ae-dc9b-d3bb-20d1-8ed1c12f3b15","lease_id":"","renewable":false,"lease_duration":0,"data":{"name":"pwd_test_policy","policy":"path \"sys/policies/password/pwd_test_policy/\"\n{\n capabilities = [\"list\"]\n}"},"wrap_info":null,"warnings":null,"auth":null}

When i tried to use my password policy with a non administrator token, i always get a permission denied.

curl \
    --header "X-Vault-Token: s.HJKhuihUIHO87678HHL" \
    https://vault-srv:8200/v1/sys/policies/password/pwd_test_policy/generate

{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

Thanks for your help,

Matt

aram · March 15, 2022, 8:15am

I feel like you’re just throwing things against the wall to see what happens rather than learning how it works. I highly recommend just going through the Vault Tutorials - HashiCorp Learn lessons to get the basics.

You don’t “use” the policy. You generate a token with that policy.

You can lookup the token to see what policies it is using with: vault token lookup

GarsDuCalvados · March 15, 2022, 9:45am

Hi,

Yes i am in the wall :).

I’m not the administrator of our Vault and the teams has no time right now.

I use Vault by API from my Ansible playbook for :

Get user and password secret [GET]
Create or update secret [GET]
Generate password with this URL [/gen/password] and json file with [length/digits/symbols] [POST]

I want to improve my Vault Ansible Role for “Generated password” because with this path to generate a password /gen/password, There are symbols that cause me problems.

So i try to create a policy with a list of char/number/symbol that i want/validate.

I have succesfully create the password policy but i can’t use it with a non vault administrator.

I understand the ACL is used to configure permission on a path.

So i try to configure [READ] permission on the path of my password policy to allowed [GET] method for a non vault administrator.

Sorry for your time,

Matt

jeffsanicola · March 15, 2022, 12:28pm

You might be conflating two different things.

The built-in password policies and associated generator are different than the /gen/password API, which, if I’m not mistaken, is actually a third party plugin called vault-secrets-gen. This plugin does not use Vault’s password policies but rather you can pass in various parameters to control which characters are used. It’s not as granular as the built-in password policies, however.

Also, a couple notes on password policies:

Listing of policies is not available in Vault prior to 1.10. Currently you’ll need to know what your policy name is to update, read, or delete it
To create a new policy you’ll have to create a policy document and upload the doc when creating the policy
vault write sys/policies/password/my_password_policy policy=@/path/to/my_policy.hcl
To generate a password using this policy you would run
vault read sys/policies/password/my_password_policy/generate

Of course you may need to make ACL policy adjustments to allow using the various API endpoints.

Example policy:

# Manage password policies & generate passwords
path "/sys/policies/password/*" {
  capabilities = ["create", "read", "update", "delete"]
}

But you should also take @aram’s advice to more thoroughly read through the docs and get to know Vault. It may take a little time to get familiar with things but once it clicks it should be pretty easy to find your way around.

Hope this helps.

GarsDuCalvados · March 15, 2022, 2:44pm

Hi everyone,

Thanks for your advices.

I went to see the team responsible of our Vault.
We created an ACL policy and give right for our LDAP group to use it.

Now with a non administrator token, i can use my password policy.

Thanks all,

Matt