Closed alwaysastudent closed 7 years ago
sethvargo
commented
7 years ago Hi @alwaysastudent
Unlike generic or transit, the PKI backend requires significant configuration that we (the broker) cannot possibly know in advance. This is also why we recommend running Vault as its own service. As a Vault administrator, you can configure it to enable the PKI backend with the proper things.
alwaysastudent
commented
7 years ago @sethvargo - So do you recommend to have the policy manually modified, for the token generated when the broker service instance is created ?
sethvargo
commented
7 years ago Hi @alwaysastudent
You can attach multiple policies to the token during generation, so you would change the policy that is applied when the broker creates a token.
alwaysastudent
commented
7 years ago @sethvargo - I didn't understand. Are you saying an operator should grab hold of the service instance id and go to the vault server and edit the policy for the same ?
#vault policies cf-53d02677-5b17-4044-ad2d-00de655ceba5
path "cf/53d02677-5b17-4044-ad2d-00de655ceba5" {
capabilities = ["list"]
}
path "cf/53d02677-5b17-4044-ad2d-00de655ceba5/*" {
policy = "write"
}
path "cf/d0cae1cd-e4e2-44f4-9718-a1f6d54d605b" {
capabilities = ["list"]
}
path "cf/d0cae1cd-e4e2-44f4-9718-a1f6d54d605b/*" {
policy = "write"
}
path "cf/9a9fb216-42ae-4bfb-865e-69b44e256a98" {
capabilities = ["list"]
}
path "cf/9a9fb216-42ae-4bfb-865e-69b44e256a98/*" {
policy = "read"
}
Like generic or transit backends , do you think the PKI backend should also be established with mounts and policies on the servers and the same be populated on the VCAP_SERVICES ?