0

我正在尝试编写一个策略,允许删除 Hashicorp Vault 中存在的策略。

目前,我正在尝试一种超级广泛的方法来获得这样做的权利。之后我当然会减少权利。

delete_policy.hcl 看起来像:

path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}

path "sys/policies/acl" {
  capabilities = [ "read", "list" ]
}

path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}

path "sys/policy"
{
  capabilities = ["read"]
}

path "sys/policy/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

之后,我使用此策略创建一个令牌,如下所示:

vault policy write delete_policy delete_policy.hcl 
vault token create -policy=delete_policy

登录并执行删除结果如下:

vault policy delete test
Error deleting test: Error making API request.

URL: DELETE https://127.0.0.1:8200/v1/sys/policies/acl/test
Code: 400. Errors:

* failed to delete policy: AccessDenied: Access Denied
     status code: 403, request id: N57BHX5W8G2KAQHW, host id:        
CYVoVnzToIhBoSpoSH/OmznvHo9q/UtQvDkZFgoCrO8eE/N0Ujh/a+UOQ4QvoM5z+0PUziB+yu8=

我在这里错过了某个人吗?

4

0 回答 0