security - 如何创建 HashiCorp Vault 策略以防止用户破坏机密版本？

问题描述

我有一项政策，适用于需要能够创建新机密和新机密版本但他们不应该能够删除机密或机密版本的新用户。下面的代码片段阻止用户删除秘密；然而，他们仍然能够摧毁每一个秘密版本。

如何防止他们使用策略破坏秘密版本？

# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secrets/*" {
  capabilities = ["create", "read", "update", "list"]
}

标签： securityrbachashicorp-vault

您可以使用 HashiCorp Vault API 文档来解决这个问题：https ://www.vaultproject.io/api/secret/kv/kv-v2.html https://github.com/hashicorp/vault/blob/master/网站/来源/docs/concepts/policies.html.md

# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secrets/*" {
  capabilities = ["create", "read", "update", "list"]
}

# This section explicitly denies the ability to destroy secret versions.
path "secrets/destroy/*" {
  capabilities = ["deny"]
}
path "secrets/delete/*" {
  capabilities = ["deny"]
}

security - 如何创建 HashiCorp Vault 策略以防止用户破坏机密版本？

问题描述

解决方案

推荐阅读