Using json policies - example json policy needed #582
Comments
|
As other commenters pointed out in that pull request, it adds arrays where they shouldn't be. Here is equivalent JSON: |
|
How does this translate for use via the REST API? Seems like that wants an object containing a single "rules" attribute with a string value. |
|
That's correct. It's simply the raw text of an equivalent policy file set as the value of the "rules" key. All of the actual parsing happens within the Vault server. |
|
Ok, thanks. It would be convenient if this could be the actual json document describing the rules |
|
@jefferai the example you gave above is helpful, though how would you add multiple policies in a single file with json? |
|
@timgent The API acts on a single policy at a time, so (just like when using the CLI) you have to use separate API calls to handle separate policies. Sorry! |
|
@jefferai sorry I probably phrased this badly. I mean having a single policy that defines access rights for multiple paths |
|
@timgent Oh, sorry. Here's an example with multiple paths: {
"name": "dev",
"path": {
"*": {
"policy": "deny"
},
"stage/*": {
"policy": "sudo"
}
}
} |
|
@jefferai when Using Vault API to create a policy.An empty policy is created. {
"path": {
"sys/policy/*": {
"policy": "read"
},
"auth/userpass/users/": {
"policy": "write"
}
}
} |
|
@aakashsinghal1994 Without information about the API calls you're making I can't really help! |
|
@jefferai Here's the API call I'm making. curl \
--header "X-Vault-Token: *******" \
--request PUT \
--data @add_user.json \
https://xyz.com/v1/sys/policy/add_user |
|
@aakashsinghal1994 Take a look at the docs (https://www.vaultproject.io/api/system/policy.html) -- you need to specify the serialized HCL or JSON string as the "policy" argument to the call. |
|
@jefferai, is this is expected to work? policies.json curl command curl after this command runs with not errors, then run this command curl \ this is the response {"name":"test","rules":"","request_id":"c2d1ecbd-0eaf-658d-21e7-e0188a356c02","lease_id":"","renewable":false,"lease_duration":0,"data":{"name":"test","rules":""},"wrap_info":null,"warnings":null,"auth":null} |
|
@osvacaneljr The reason your rules are blank is because you not putting your policy into the Your policies.json should look something like this: {"rules":"{\"path\":{\"auth\/approle\/role\/\":{\"policy\":\"write\"},\"secret\/\":{\"policy\":\"write\"}}}"}Check out the documentation for this endpoint here https://www.vaultproject.io/api/system/policy.html#create-update-policy. |
|
@chrishoffman Thank you for the working example. I have been looking all day for this. note the additional curly brackets in your example and the escape before the "/" in the path. Yes, your example is for included data and the doc example is for a data file, but the missing curly brackets are still problem, no? Thanks again! |
|
I'm having the following error when I try to install a new policy:
I try the following http request: I'm using version 0.8.3 on a CentOS |
|
I don't normally chime in on these sort of things but I spent alot of time working through this issue as well. Thank you to @tburt11 in this thread and Jeff Mitchell over on a google forum thread for helping me "see the light" with the "rules" typo. I was following this article on "codifying vault" to script out provisioning a vault server. In the article they show the policy json files to have contents like this:
In this case they have a json object who's "rules" parameter value is a string representation of a policy written in hcl. However, in both the documentation on policies and this google thread it's mentioned (or shown offhandedly in slightly inconsistent code) that "rules" must be a string but the policy within the string can be in .hcl or .json format. In either case I didn't like that it was stringified because it's very easy to make mistakes when editing and reading. I modified the mypolicy.json: what the modified
Below is the modified script: |
|
Closing -- at this point there are numerous examples and I believe the OP's request is solved. |
|
I spend alot of time on this. Hashicorp should fix the api to be json compatible. In the meantime, I spend some to automate this process as https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration process really sucks. |
|
Totally unclear what you mean here. The API is 100% JSON compatible. JSON is all that Vault speaks. |
|
Perhaps the wrong choice of words. Here's an example of what i am referring to: When I enable approle /v1/sys/auth/approle This works fine via the api without escaping the double quotes What i want to do something like this hash for /v1/sys/policies/acl/system_admins: It seems that you can pass the json but only as one key value / pair as oppose to the entire hash. So the above hash looks like this json to be passed via the api
Why is the behavior different ? |
|
@zippycup please use our mailing list in the future for any questions to avoid spamming everyone in GH threads. To answer your question, the policy field accepts a string as stated in the docs, so you will either need to provide a string-escaped or base64-encoded JSON object. |
|
I am using json policy files, and just parse the policy string using jq and sed to match what vault expects in --data curl arg: example admin.json |
|
I think it's pretty obvious from the sheer number of articles, blog posts, mailing list threads, and so on: vault has a serious problem when it comes to configuration. People are getting confused, there are odd workarounds being used, there are inconsistencies with the way vault handles config data. HashiCorp, for a product you charge $120,000/yr for, vault is frustrating as hell to use sometimes... |
|
Hi Paul, It's unclear from your post exactly what is frustrating you, but I would encourage you to open issues (or even better, PRs) if you are coming across specific documentation problems. Unfotunately, statements like "there aren't enough examples" aren't particularly helpful, because we don't know what problems you're having, what pieces of Vault you're using, what examples you're looking for, or whether it's just a discovery issue (e.g. there may be examples in our guides but not our API sections). Since you are a paying customer, if you hare having difficulties you can (and should) go through our support team as unlike the mailing list or GitHub that's governed by SLAs and they escalate to Vault devs as needed. |
|
Fair enough, Jeff. I'll do my best to document and report problems when I come to them. BTW, I definitely hate the HCL vs JSON issue. If I can't use HCL everywhere, I'd rather not bother using it. Consistency is more important to me, and I don't mind working with JSON. But as JSON does have the major, major, WTF-were-they-thinking, major flaw of not allowing comments, I'll make a suggestion for improving usability for folks like me that just use JSON: allow a "comment" field anywhere that it wouldn't be interpreted as data. I suppose it might even be possible to convert actual comments in HCL into this format, although simply allowing the "comment" field would be a big improvement. |
|
@geek65535 The problem of course is that there are many issue and complaints and not enough capacity to address them all in any particular time frame. The engineering team has scaled up significantly over the last few years, but so has our user base. What you've described -- "look at where users are having issues, and where people are complaining, and focus some engineering efforts on those areas" -- is pretty much our entire workflow outside of new feature development. I'd encourage you to look at the items listed under IMPROVEMENTS and BUG FIXES in our changelog -- these are pretty much driven directly by user requests, and they don't include updates to our website, including docs, API info, and our guides section which has been expanding significantly. The problem isn't that we don't listen to users, it's that there just aren't enough hours in the day. In 0.11 we've whitelisted "comment" as a key in policies. For future suggestions like this, please open a new ticket. |
|
@jefferai Thanks for putting in the "comment" as a key. |
|
No problem. Glad to help! |
|
interesting, I've spent more than 2 weeks on vault by now to figure out how to put it into production. |
|
@alexwwang If you're having troubles I suggest asking questions on the mailing list. We also have various guides (https://www.vaultproject.io/guides/index.html) that may be of use. |
|
@jefferai one week ago I posted an issue both here (#110) and in the mailing list for help but by now no further reply received. |
|
@alexandruast Thank you!!! Team (@jefferai), |
|
man, I am so having issues with policies, json and the rest api . why on earth can't we just pass in json, like most of the other api's .. and saying that I'm trying to write a policy from another node app, calling the rest api. In this other app, my json is Would some kind soul let me know how I should manipulate this object into a string that works with the |
|
Seems to work fine for me. Two notes:
|
|
thanks - yes, the cli seems to work just fine - but it's the rest api that I have problems with. Internally the cli must be doing something to the json to get it into a format suitable for the rest api. IOW - what do I need to do to convert the json in testpol.json to a format suitable for the |
|
It's simply treating the value as a string and calling Go's json.Marshal function. IOW it's JSON-escaping the string. |
|
FWIW, I've found that this works for node. Seems awfully clumsy though ... if |
|
Here's a quick hack if you want to keep the policy in HCL--i.e., not rewrite it in JSON: # Write a new JSON policy file: https://github.com/ned1313/Getting-Started-Vault/blob/master/m4/devpol.json
tee foo.json <<\EOF
{
"policy": "path "foo/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "foo/appId*" {
capabilities = ["create", "read", "update", "delete", "list"]
allowed_parameters = {
"api-key" = []
"environment" = ["dev","qa","staging","production"]
"description" = []
}
}
path "secret/data/{{identity.entity.id}}/*" {
capabilities = ["create", "update", "read", "delete"]
}
path "secret/metadata/{{identity.entity.id}}/*" {
capabilities = ["list"]
}"
}
EOF
# Reformat. The trick, like `jefferai` wrote above, is to see that "policy" is actually an escaped single value: "path..." (with any quotes inside that being escaped) in HCL format
cat foo.json | tr '\n' ' ' | sed 's/"/\\\"/g; s/\\"policy\\": \\"/"policy": "/; s/}\\"/}"/' | tee tmp; mv tmp foo.json
# Create a new policy
curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request PUT --data @foo.json $VAULT_ADDR/v1/sys/policies/acl/dev-clone | jqOutput: That matches the Github contents of the Pluralsight course I'm following. Results: After accounting for spacing changes, putting the outer object brackets on one line, and replacing devkv with foo, I get these results: Confirming: curl -s --header "X-Vault-Token: $VAULT_TOKEN" --request GET $VAULT_ADDR/v1/sys/policy/dev-clone | jq '.'
{
"rules": "path \"foo/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"] } path \"foo/appId*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"] allowed_parameters = { \"api-key\" = [] \"environment\" = [\"dev\",\"qa\",\"staging\",\"production\"] \"description\" = [] } } path \"secret/data/{{identity.entity.id}}/*\" { capabilities = [\"create\", \"update\", \"read\", \"delete\"] } path \"secret/metadata/{{identity.entity.id}}/*\" { capabilities = [\"list\"] }",
"name": "dev-clone",
"request_id": "21fc6547-c66b-daa7-6cc2-09ac73d3dd5f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"name": "dev-clone",
"rules": "path \"foo/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"] } path \"foo/appId*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"] allowed_parameters = { \"api-key\" = [] \"environment\" = [\"dev\",\"qa\",\"staging\",\"production\"] \"description\" = [] } } path \"secret/data/{{identity.entity.id}}/*\" { capabilities = [\"create\", \"update\", \"read\", \"delete\"] } path \"secret/metadata/{{identity.entity.id}}/*\" { capabilities = [\"list\"] }"
},
"wrap_info": null,
"warnings": null,
"auth": null
}Long story short, it's close enough for me--at least, until there's a better way. What a mess... |
|
I know this thread is old, but... even Vault is an awesome product, this thread makes sense. Today I've spent the whole morning making this work. I've followed the official tutorial, and I've read the docs. However, I had to come here and use the @alexandruast solution. Now diffing, I see stupid mistakes on my part (we're running all the time), that a proper example could avoid doing. Some ideas:
Maybe these exist, but I expected it at first sight. However, good product, thanks and keep rocking! |
|
Trying to figure out hcl to json policies is extremely frustrating, ive spent several days on this already, there are a lot of inconsistencies in the documentation and the tools, even now in 2020 e.g. take any old hcl use https://www.hcl2json.com/ and try to apply the resulting json as a policy. combine that with generic responses about what it should look like and it's a recipe for pain... |
|
@gregkeys what works for me is a post to "/sys/policies/acl/<policy_name>" with a body of
where aclPaths is etc hth. It took a while to figure out ;) I use the |
I am using the Ruby client for Vault and hence need to use json policies, as it won't allow me to use HCL directly. I haven't been able to get it working and suggest some examples are needed in the docs.
I have tried using the hcl2json tool here: hashicorp/hcl#24
Starting hcl policy:
Converted json policy:
{ "path": [ { "secret/*": [ { "policy": "write" } ] } ] }Just using the command line tool I get:
Possible the json is wrong, though I haven't been able to manually put in anything that works. I think it would be helpful for the docs to have an example of a json policy that definitely works.
The text was updated successfully, but these errors were encountered: