我有一个策略提供给需要创建新机密和新机密版本的能力的新用户,但他们不应该具有删除机密或机密版本的能力。下面的代码段可防止用户删除机密;但是,他们仍然能够销毁每个秘密版本。
如何防止他们使用策略破坏秘密版本?
PMVMEX0000050014jiemy666 回答:如何创建防止用户破坏秘密版本的HashiCorp Vault策略?
您可以使用HashiCorp Vault API文档来解决此问题:https://www.vaultproject.io/api/secret/kv/kv-v2.html https://github.com/hashicorp/vault/blob/master/website/source/docs/concepts/policies.html.md
# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy,as shown below.
path "secrets/*" {
capabilities = ["create","read","update","list"]
}
# This section explicitly denies the ability to destroy secret versions.
path "secrets/destroy/*" {
capabilities = ["deny"]
}
path "secrets/delete/*" {
capabilities = ["deny"]
}