Expected Outcome
With this policy, Vault operators can generate tokens with all capabilities on all paths in Vault, including all namespaces.
Use Case
Vault operators often need to generate tokens with root-like like permissions in accordance with the recommended best practice to revoke root tokens immediately after use.
Prerequisites
You will need a token with the ability to write ACL policies. E.g. "create" capabilities on the sys/policies/acl/* path.
Procedure
VAULT UI
- Navigate to Policies > ACL Policies > Create ACL Policy
Enter a name for the policy e.g.
admin- Paste the following in the Policy field:
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo", "patch", "subscribe", "recover"]
subscribe_event_types = ["*"]
}Vault CLI
Create the policy:
tee admin.hcl <<EOF
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo", "patch", "subscribe", "recover"]
subscribe_event_types = ["*"]
}
EOFWrite the policy:
vault policy write admin admin.hclVault API
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" \
-d '{"policy":"path \"*\" {\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\", \"patch\", \"subscribe\", \"recover\"] subscribe_event_types = [\"*\"]\n}\n"}' \
http://127.0.0.1:8200/v1/sys/policies/acl/admin