Closed alwaysastudent closed 7 years ago
Hi @alwaysastudent
Unlike generic or transit, the PKI backend requires significant configuration that we (the broker) cannot possibly know in advance. This is also why we recommend running Vault as its own service. As a Vault administrator, you can configure it to enable the PKI backend with the proper things.
@sethvargo - So do you recommend to have the policy manually modified, for the token generated when the broker service instance is created ?
Hi @alwaysastudent
You can attach multiple policies to the token during generation, so you would change the policy that is applied when the broker creates a token.
@sethvargo - I didn't understand. Are you saying an operator should grab hold of the service instance id and go to the vault server and edit the policy for the same ?
#vault policies cf-53d02677-5b17-4044-ad2d-00de655ceba5
path "cf/53d02677-5b17-4044-ad2d-00de655ceba5" {
capabilities = ["list"]
}
path "cf/53d02677-5b17-4044-ad2d-00de655ceba5/*" {
policy = "write"
}
path "cf/d0cae1cd-e4e2-44f4-9718-a1f6d54d605b" {
capabilities = ["list"]
}
path "cf/d0cae1cd-e4e2-44f4-9718-a1f6d54d605b/*" {
policy = "write"
}
path "cf/9a9fb216-42ae-4bfb-865e-69b44e256a98" {
capabilities = ["list"]
}
path "cf/9a9fb216-42ae-4bfb-865e-69b44e256a98/*" {
policy = "read"
}
Like generic or transit backends , do you think the PKI backend should also be established with mounts and policies on the servers and the same be populated on the VCAP_SERVICES ?