Vault Policy Configuration
Vault Policy Configuration
Details
Interact with vault's policies. To get started, you may want to read up on policies as described in the vault manual, here: https://developer.hashicorp.com/vault/docs/concepts/policies
Super class
vaultr::vault_client_object
-> vault_client_policy
Methods
Inherited methods
Method new()
Create a vault_client_policy
object. Not typically
called by users.
Usage
vault_client_policy$new(api_client)
Arguments
api_client
A vault_api_client object
Method delete()
This endpoint deletes the policy with the given name. This will immediately affect all users associated with this policy.
Method write()
Create or update a policy. Once a policy is updated, it takes effect immediately to all associated users.
Arguments
name
Name of the policy to update
rules
Specifies the policy document. This is a string in "HashiCorp configuration language". At present this must be read in as a single string (not a character vector of strings); future versions of vaultr may allow more flexible specification such as
@filename
Examples
server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
client <- server$client()
# The test server starts with only the policies "root" (do
# everything) and "default" (do nothing).
client$policy$list()
# Here let's make a policy that allows reading secrets from the
# path /secret/develop/* but nothing else
rules <- 'path "secret/develop/*" {policy = "read"}'
client$policy$write("read-secret-develop", rules)
# Our new rule is listed and can be read
client$policy$list()
client$policy$read("read-secret-develop")
# For testing, let's create a secret under this path, and under
# a different path:
client$write("/secret/develop/password", list(value = "password"))
client$write("/secret/production/password", list(value = "k2e89be@rdC#"))
# Create a token that can use this policy:
token <- client$auth$token$create(policies = "read-secret-develop")
# Login to the vault using this token:
alice <- vaultr::vault_client(addr = server$addr,
login = "token", token = token)
# We can read the paths that we have been granted access to:
alice$read("/secret/develop/password")
# We can't read secrets that are outside our path:
try(alice$read("/secret/production/password"))
# And we can't write:
try(alice$write("/secret/develop/password", list(value = "secret")))
# cleanup
server$kill()
}
#> Verifying token
#> Error : While reading secret/production/password:
#> 1 error occurred:
#> * permission denied
#>
#>
#> Error : 1 error occurred:
#> * permission denied
#>
#>