What are the minimum necessary permissions?

madrisan / hashicorp-vault-monitor

:key: HashiCorp Vault Monitoring Tool

Mozilla Public License 2.0

24 stars 4 forks source link

What are the minimum necessary permissions? #4

Closed zwiebelspaetzle closed 4 years ago

zwiebelspaetzle commented 4 years ago

The readme uses the root token of a dev setup. In prod, what are the minimum permissions needed for this script to run?

madrisan commented 4 years ago

For reading secrets (get) and monitor the token expiration (token-lookup) you do not need a root token. In general you just need a token associated to a policy just allowing the actions you need. For instance the get command need a token able to read in a sub-tree of secret/. The token-lookupmethod works with any given token of course. Conversely the method policy requires a root token or the appropriate rights.

madrisan commented 4 years ago

It's not necessary to execute this binary as root, only a simple execution right.