CLAassistant
commented
2 years ago
All committers have signed the CLA.
Open knorx opened 2 years ago
CLAassistant
commented
2 years ago
All committers have signed the CLA.
knorx
commented
2 years ago Added documentation for token renewal, which was also missing.
nathanejohnson
commented
2 years ago I set up a local vault instance running in dev mode, point my fabio instance to it and I was able to create the following minimal policy to support v2 kv store, with the preflight check. It appears that it is unnecessary to use the full ui mount path in the policy:
path "secret/data/fabio/certs/*" {
capabilities = ["read"]
}
path "secret/metadata/fabio/certs" {
capabilities = ["list"]
}
The ability to self- renew is enabled in the default policies, though I do agree it would be useful to call it out in case some operator has removed this from the default policy. This is the default policy on my local dev instance, which was just created:
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}If you could validate my findings, and update your documentation PR to include this, I'd like you to get credit for finding this. Another tidbit, it's important to create the token as an orphan and with an explicit period, so that this will keep the token from bumping into the implicit max ttl which prevents the token from renewing after a time.
Added section describing that newer versions of vault need the preflight check path to be readable. (fixes #876)