Vault Policy Configuration

Vault Policy Configuration

Vault Policy Configuration

Details

Interact with vault's policies. To get started, you may want to read up on policies as described in the vault manual, here: https://developer.hashicorp.com/vault/docs/concepts/policies

Super class

vaultr::vault_client_object -> vault_client_policy

Methods

Public methods

• vault_client_policy$new()

• vault_client_policy$delete()

• vault_client_policy$list()

• vault_client_policy$read()

• vault_client_policy$write()

Inherited methods

• vaultr::vault_client_object$format()
• vaultr::vault_client_object$help()

---

Method new()

Create a vault_client_policy object. Not typically called by users.

Usage

vault_client_policy$new(api_client)

Arguments

api_client

A vault_api_client object

---

Method delete()

This endpoint deletes the policy with the given name. This will immediately affect all users associated with this policy.

Usage

vault_client_policy$delete(name)

Arguments

name

Specifies the name of the policy to delete.

---

Method list()

Lists all configured policies.

Usage

vault_client_policy$list()

---

Method read()

Retrieve the policy body for the named policy

Usage

vault_client_policy$read(name)

Arguments

name

Specifies the name of the policy to retrieve

---

Method write()

Create or update a policy. Once a policy is updated, it takes effect immediately to all associated users.

Usage

vault_client_policy$write(name, rules)

Arguments

name

Name of the policy to update

rules

Specifies the policy document. This is a string in "HashiCorp configuration language". At present this must be read in as a single string (not a character vector of strings); future versions of vaultr may allow more flexible specification such as @filename

Examples

server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
  client <- server$client()

  # The test server starts with only the policies "root" (do
  # everything) and "default" (do nothing).
  client$policy$list()

  # Here let's make a policy that allows reading secrets from the
  # path /secret/develop/* but nothing else
  rules <- 'path "secret/develop/*" {policy = "read"}'
  client$policy$write("read-secret-develop", rules)

  # Our new rule is listed and can be read
  client$policy$list()
  client$policy$read("read-secret-develop")

  # For testing, let's create a secret under this path, and under
  # a different path:
  client$write("/secret/develop/password", list(value = "password"))
  client$write("/secret/production/password", list(value = "k2e89be@rdC#"))

  # Create a token that can use this policy:
  token <- client$auth$token$create(policies = "read-secret-develop")

  # Login to the vault using this token:
  alice <- vaultr::vault_client(addr = server$addr,
                                login = "token", token = token)

  # We can read the paths that we have been granted access to:
  alice$read("/secret/develop/password")

  # We can't read secrets that are outside our path:
  try(alice$read("/secret/production/password"))

  # And we can't write:
  try(alice$write("/secret/develop/password", list(value = "secret")))

  # cleanup
  server$kill()
}
#> Verifying token
#> Error : While reading secret/production/password:
#>  1 error occurred:
#> 	* permission denied
#> 
#> 
#> Error : 1 error occurred:
#> 	* permission denied
#> 
#>