Bug: getting 403 on policy change approve
VAdamec opened this issue · 5 comments
Bug report:
Vault version:
0.9.5
Goldfish version:
0.9.0
Operating system:
OL7
Steps to reproduce:
just follow https://github.com/Caiyeon/goldfish/wiki/Production-Deployment
Expected behaviour:
policy will be approved
Actual behaviour:
getting 403
Temp fix
Update cap for goldfish policy to have access to sys/wrapping/wrap helps for approvals (no idea if it's correct/safe approach) but last approval get 403 for writing so still missing some piece.
Vault audit log:
... "approle","policies":["default","goldfish"], "path":"sys/wrapping/wrap", "error":"permission denied", ...
Changed policy
- goldfish/vagrant/policies/goldfish.hcl
# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
capabilities = ["read", "update"]
}
# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
capabilities = ["read", "update"]
}
path "sys/wrapping/wrap" {
capabilities = ["read", "update"]
}
Goldfish needs the default policy, which includes wrapping and unwrapping. This is by design, and not a bug. The default policy is in the deployment steps in the wiki.
Well as I said, I follow production deployment, so policicies were created, but it doesn't contain any sys/wrapping section. See https://github.com/Caiyeon/goldfish/tree/master/vagrant/policies
goldfish/vagrant/policies/goldfish.hcl
# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
capabilities = ["read", "update"]
}
# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
capabilities = ["read", "update"]
}
path "sys/wrapping/wrap" {
capabilities = ["read", "update"]
}
path "sys/wrapping/unwrap" {
capabilities = ["read", "update"]
}
@VAdamec See Step 1 here https://github.com/Caiyeon/goldfish/wiki/Production-Deployment
Specifically
vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0
Here is more info on the default policy.
To view the default policy you can run the command
vault policy read default
You right, my default policy was waaay different than should be (migrated from older versions of Vault). So only thing which doesn't work is transit encryption. I'll do another ticket, thanks