我正在尝试编写一个策略,允许删除 Hashicorp Vault 中存在的策略。
目前,我正在尝试一种超级广泛的方法来获得这样做的权利。之后我当然会减少权利。
delete_policy.hcl 看起来像:
path "sys/policies/acl/*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
path "sys/policies/acl" {
capabilities = [ "read", "list" ]
}
path "sys/policies/acl/*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
path "sys/policy"
{
capabilities = ["read"]
}
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
之后,我使用此策略创建一个令牌,如下所示:
vault policy write delete_policy delete_policy.hcl
vault token create -policy=delete_policy
登录并执行删除结果如下:
vault policy delete test
Error deleting test: Error making API request.
URL: DELETE https://127.0.0.1:8200/v1/sys/policies/acl/test
Code: 400. Errors:
* failed to delete policy: AccessDenied: Access Denied
status code: 403, request id: N57BHX5W8G2KAQHW, host id:
CYVoVnzToIhBoSpoSH/OmznvHo9q/UtQvDkZFgoCrO8eE/N0Ujh/a+UOQ4QvoM5z+0PUziB+yu8=
我在这里错过了某个人吗?