Introduction
This guide is to help writing a policy so that you can safely automate gathering HCDiag bundles for support. Whether the desire is to have a service that gathers these periodically or to trigger an internal request, the policy below will allow an operator to export that data for us without having to use a root or admin token.
Scenario
When creating an HCDiag bundle, our general guidance is to run it as a root or admin user when logged in to a node where the Vault service is running. This can present problems when creating an automated service to run the HCDiag utility. It is considered best practice to use the prinicipal of least priviledge in order to safely use an automation service with a long lived token.
Recommendation
Create a policy with limited rights to read the information that is needed to create the bundle.
The policy should be the following:
vault policy write hcdiag - <<EOF
path "/sys/config/state" {
capabilities = ["read"]
}
path "/sys/host-info" {
capabilities = ["read"]
}
path "/sys/metrics" {
capabilities = ["read"]
}
path "/sys/replication/performance/status" {
capabilities = ["read"]
}
path "/sys/replication/dr/status" {
capabilities = ["read"]
}
path "/sys/pprof" {
capabilities = ["read"]
}
path "/sys/seal-status" {
capabilities = ["read"]
}
path "/sys/ha-status" {
capabilities = ["read"]
}
path "/sys/audit" {
capabilities = ["read"]
}
path "/sys/health" {
capabilities = ["read"]
}
EOF
Once the policy has been created, create a token with the above policy.