Is there any way to get vault policy details that someone has already created. It would me more easy if I could get policy details through URL, or API might make my work simpler.
Thanks in advance.
Ohh, I could have spend more time googling the answer instead posting this question.
I found the solution here.
From the command line, to see the rules for the policy 'default', you
would do it like this:
vault policies
vault policies <policy_name>
From the API you can do it with a GET to
/v1/sys/policy/<policy_name>
To be a bit more generic, this command lists all the existing policies:
vault policies
and the one bellow shows the details of a specific policy:
vault policies <policy_name>
Related
I'm having troubles with Vault it returns permission denied 403 error, when I try to get secrets with my k8s AppRole.
I setup vault with kv version 2 engine.
Added policy for my AppRole:
Created secret under "dev/fra1/statement":
When I login with AppRole creds I have response with required policies:
When I try to execute get request with AppRole client_token I this error:
I tried different prefixes and so on (Since people on internet had problems with them).
But then was able to localize the problem, by performing that request with root token, so it went ok:
Now I'm our of ideas, I believe the only place where the problem can be is policy, what I'm doing wrong ?
Ok, so finally figured the right prefix our, it should be:
path "kv/data/dev/*" {
capabilities = ["read"]
}
Really, there is some hell with these prefixes in vault, they should describe it better in docs.
The "secret" prefix is used in v1 of Vault's KV API. v2 uses the mount name, which by default is "kv", but can be anything when you first create the mount for your KV secrets engine.
It is important to note that some tools which use Vault's API still use v1 of the KV API to access secrets, despite that your KV secrets engine may be v2. So you may need two different permissions in your policy.
I'm facing the same issue. I have a secrets engine called TestSecretsEngine and a single secret env. In my policy I add read to the path TestSecretsEngine/data/env to no avail. I'm using the node-vault npm module and it's failing at vault.approleLogin with a 403. It's got to be something with the policy because when I add a nonexistent path, I get a 404 instead.
We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.
I am using the Azure DevOps REST APIs to do some branch policy audit work. I want to see all the policy configurations, active and deleted. The API: https://dev.azure.com/organization/project/_apis/policy/configurations/?api-version=5.0 only returns active policy configurations. In-active ones should have the isDeleted flag as true. I can access those policy configurations if I already know the configuration ID and if it is included in the API call like this: https://dev.azure.com/organization/project/_apis/policy/configurations/7001?api-version=5.0
I was wondering if there is a way to list deleted policy configurations associated with a repository or project.
Rest API does not currently support querying deleted policy configuration.
When get a list of policy configuration, REST API below only output the policy not deleted:
GET https://dev.azure.com/{organization}/{project}/_apis/policy/configurations?api-version=5.0
You could submit a suggestion ticket to suggest the new feature through this url to promote development of richer features.
Note: After suggest raised, you can vote and add your comments for this feedback. When there are enough communities vote and add comments for this feedback, the product team member will take this feedback seriously
kube-apiserver does not seem to provide an option to use a certification revocation list (CRL).
Is there a way to revoke a client certificate if it's lost or not used anymore?
As far as I know there isn't a way to directly revoke certificates via a CRL. However, what does work, and what we are currently using, is ABAC policies to identify users (set via the Common Name of a certificate), and whether they have access to a given resource on Kubernetes.
As an example, say you have a user called "random". You would generate a Client Certificate for them from your given Certificate Authority, with a Common Name of "random".
From there, you can have an ABAC policy file (a csv file with each line being a bit of JSON), with permissions set for user "random" that would provide them with a certain level of access to the Kubernetes API. You can have them have access to everything or certain namespaces or other API parameters. If you need to revoke permissions, you simply delete that user from the ABAC policy file. We've tested this, and it works well. The unfortunate thing, I will say, is you have to restart the Kubernetes API service for those changes to take effect, so there may be a few seconds of downtime for this change to occur. Obviously in a development environment this isn't a big deal, but on production you may need to schedule time for users to be added.
Hopefully in the future a simple "kube-apiserver reload" will allow for a re-read of that ABAC policy file.
One final thing to note: when using Client Certificates for ABAC authentication, you will need to set permissions for users INDIVIDUALLY. Unlike with auth tokens with ABAC, you cannot set Client Certificate users in "groups." Something that caused us headaches, so figured it was worth passing on. :)
Hope this helps!
I have referred the AWS EC2 server provision document.
1. Im unable to create the signature from Access key and secret key.
what is the API (needed parameters, headers) to generate a signature? and how to provision a server ? can any one explain me please?
would you consider finding this out from the Getting Started with AWS SDK for .NET:
http://aws.amazon.com/developers/getting-started/net/
It looks pretty straightforward and in my humble opinion it is a good practice not to reinvent any activities related to security (such as authentication or authorization) and use the recommended framework/SDK.
Regarding launching an instance, please refer to the guide in this page:
http://docs.aws.amazon.com/AWSSdkDocsNET/latest/V3/DeveloperGuide/run-instance.html