我无法理解 secret 列表的工作原理。
我有具有路径权限的策略。
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list","sudo"]
}
我可以运行启用和禁用标志
$ vault secrets enable -path=Test kv
Success! Enabled the kv secrets engine at: Test/
$ vault secrets disable Test
Success! Disabled the secrets engine (if it existed) at: Test/
但我无法运行列表或移动
vault secrets list
Error listing secrets engines: Error making API request.
URL: GET http://localhost:8200/v1/sys/mounts
Code: 403. Errors:
* permission denied
vault secrets move Test Test2
Error moving secrets engine Test/ to Test2/: Error making API request.
URL: POST http://localhost/v1/sys/remount
Code: 403. Errors:
* permission denied
这不是文件系统权限问题,将管理 token 更改为根 token 后一切正常。那么有人可以解释我这种行为吗?
最佳答案
尝试:
path "sys/mounts" {
capabilities = ["read"]
}
该命令在 sys/mounts 上执行,而不是 sys/mounts/*
关于hashicorp-vault - Vault secret 列表权限被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51305714/