Closed noahehall closed 1 year ago
maxb
commented
1 year ago You are not sending the correct body payload in the HTTP request. An example correct payload is featured in the documentation for the endpoint: https://developer.hashicorp.com/vault/api-docs/system/policies#create-update-acl-policy
maxb
commented
1 year ago
- this gist by @v6 saved the day
That's not a good solution and will mangle some more complex policies into invalid input.
If you want to automate Vault from shell scripts, you should take a look at the Vault CLI, which provides helpful commands such as:
vault policy write <policy-name> <file-to-read-from>as well as other commands which let you do most operations in a much more concise way. You'll still need jq in places, but simple things can be written simply.
Or if you really want to avoid that, and stick more closely to the style you are currently using, you should use the jq -n -c --arg approach you are already using in other places in your script, to build the policy request body, because that will be more reliable than the gist you found.
noahehall
commented
1 year ago thanks for the tips @maxb
its unfortunate the endpoint doesnt accept policies written in JSON, which would alleviate the issue of having to escape a bunch of double quotes
as for the script, its only for bootstrapping vault servers on init and testing integration before downstream services integrate.
the majority of services in my environment will not have access to a vault agent, vault cli or a human to configure, so having a 100% http api compatible vault integration is a requirement.
I'll likely follow your advice and write a policy parser, that handles escaping of the policy path - for now, i'll refrain from using any complex policies
noahehall
commented
1 year ago took another look at the payload that the policy endpoint accepts, and @maxb you are indeed, correct just need to escape all the quotes in the policy and send the entire thing as a string
creating policy policy_admin_vault:
path "secret/*" { # kv-v2
capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}
path "env/*" { # kv-v1
capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}
path "sys/*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}
path "auth/*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}
path "database/*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}
path "pki*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}
[DEBUG] SCRIPT.VAULT.SH
------------
[url]: https://dev.nirv.ai:8300/v1/sys/policies/acl/policy_admin_vault
[args]: -H X-Vault-Token: hvs.EqX-Bzh2cy5yb1lkcXlraHhYWmlLY1R5U2FxcTdoTWo --data {
"policy":
"
path \"secret/*\" {
capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
}
path \"env/*\" {
capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
}
path \"sys/*\" {
capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
}
path \"auth/*\" {
capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
}
path \"database/*\" {
capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
}
path \"pki*\" {
capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
}
"
}
Describe the bug A clear and concise description of what the bug is.
To Reproduce Steps to reproduce the behavior:
/v1/sys/policies/acl/any_name_hereExpected behavior A clear and concise description of what you expected to happen.
Environment:
vault status):vault version):Vault server configuration file(s):
Be sure to scrub any sensitive values
Additional context Add any other context about the problem here.