Usage of Glob "*" and Wildcard "+" in Vault Policies.

Avatar
Daniel Arlington
  • Updated

Introduction:

This KB is in addition to the official Vault Policy Documentation. This KB intends to help understand the permitted usage of the glob "*" and Wildcard "+" when creating Vault Policies. 


Problem:

At times it can be unclear on how and when to use the glob "*" and Wildcard "+". 

 

Usage:

The glob "*" must be at the end of the path.

The glob "*" can ONLY be used as a suffix. If the "glob" character is found as a pre-fix it will be trimmed/removed.

The glob and wildcard character cannot be used together like "+*".

The wildcard "+" should be used between two forward slashes like "/+/" .

If the wildcard is used with a string of characters, it will be treated as a literal part of the string like "/secret+/" where "secret+" is the name of a kv mount.

 

Key Points To Remember:

- The glob "*" and Wildcard "+" are NOT to be used like regex. They have their own code on how they work. Please see github code extract referred below.

- A policy is applied at the global level.

- Policies provide grant of access to a path however, they do not know what Secret Engine is mounted at the path. They simply provide permission/capabilities to that path.

 

Examples:

GLOB "*"

secret/abc/* - Valid 
secret/abc/1* - Valid 
secret/*/123 - Invalid. The glob character is only allowed at the end of a path.
secret/a*c - Invalid. The glob character is only allowed at the end of a path.

 

WILDCARD "+"

secret/+/123 - Valid
secret/abc/+ - Valid 
secret/+/* - Valid 
+/abc/123 - Valid 
secret/a+c/* - Invalid (as a wildcard). The "+" character must be the only character between the /'s. However, this is valid as a literal string of characters "a+c" where a kv mount maybe named "a+c" and NOT a Wildcard.

 

References:

1. OSS code: https://github.com/hashicorp/vault/blob/main/vault/policy.go#L408C3-L427C4

2. Glob pre-fix removed: https://github.com/hashicorp/vault/blob/main/vault/policy.go#L419

3. Glob and Wildcard together is Forbidden: https://github.com/hashicorp/vault/blob/main/vault/policy.go#L411

4. Wildcard between slashes: https://github.com/hashicorp/vault/blob/main/vault/policy.go#L415

5. https://developer.hashicorp.com/vault/docs/concepts/policies

 

 

Articles in this section

See more