I have a problem with Vault from Hashicorp. I have a server which is set up correctly (I can read from Vault without a problem!) and I connect to it via AppRole.
I have two use-cases which I want to implement.
I have 2 AppRoles. One for the first Use-Case and one for the second one.
I have also 2 Policies which I created
CreationPolicy: It should only have the Create and Update Capabilities. For that my policy looks like this which should allow the creation and updating of secrets to everything that is under: mountpath/data/path/to/secretfolder/. So e.g. the policy should allow me to add a secret under: mountpath/data/path/to/secretfolder/test/test . At least thats how I understand it.
path "mountpath/data/path/to/secretfolder/*" {
capabilities = ["create", "update"]
}
It is not working and I get an permission denied when I run my code in Java.
DeletionPolicy: It should only have the delete capability. For that my policy looks like this which should allow me to delete the metadata of a secret or destroy it completely. The Softdelete is not allowed in my case
path "mountpath/data/path/to/secretfolder/test/*" {
capabilities = ["read", "list", "delete", "update"]
}
path "mountpath/destroy/path/to/secretfolder/test/*" {
capabilities = ["delete"]
}
path "mountpath/metadata/path/to/secretfolder/test/*" {
capabilities = ["delete"]
}
I don't know where my error is. Does anyone have an idea?
What I have done so far:
I got it. It was an error in my logic. The Policies that I needed were: For creation: Use the policy that I mention aboive. It works. I did something wrong in java. For deletion/Read: You can use the first and the third policy and it works. There was a problem regarding the rollout of the policies...