Closed 7hunderbird closed 3 years ago
Today I was examining the vault policy created by the setup-approle addon.
And saw this policy:
$ safe vault policy read genesis-pipelines # Allow the pipelines to read all items within Vault, and write to secret/exodus (for genesis exodus data) path "/secret/*" { capabilities = ["read", "list"] } path "/secret/*" { capabilities = ["create", "read", "update", "list", "delete"] }
Is the second path meant to be /secret/exodus/* instead?
/secret/exodus/*
It may be a combo of how the path for secrets_mount gets set in genesis.
And how the matching_mount function affects the exo_mnt value in the addon script.
For now, the security impact is that the app-role can write to anything in Vault, instead of only in the exodus path.
Thanks @dennisjbell for the update. 👍
Fixed in v3.21.3
Today I was examining the vault policy created by the setup-approle addon.
And saw this policy:
Is the second path meant to be
/secret/exodus/*
instead?It may be a combo of how the path for secrets_mount gets set in genesis.
And how the matching_mount function affects the exo_mnt value in the addon script.
For now, the security impact is that the app-role can write to anything in Vault, instead of only in the exodus path.