possibly as user
root_token=`uuid` vault server -dev -dev-root-token-id $root_token export VAULT_ADDR=http://localhost:8200 vault login vault status vault secrets list
http://localhost:8200/ui/vault/dashboard
let’s create two pathes within the default secret engine, for testing
# policy will apply here
devops/fluentbit
log_http_user / TEST LOGIN
log_http_passwd / TEST PASSWORD
# policy won't apply here
devops/another
http_user / SOMETHING IS WRONG
prepare a policy e.g. as follows
– note this is V2 hence data/ is in da place
vi fluentbit-secrets.hcl
path "secret/data/devops/fluentbit" {
capabilities = ["read", "list"]
}
apply
vault policy write fluentbit-secrets fluentbit-secrets.hcl
create a specific token against that given policy
vault token create -policy=fluentbit-secrets -orphan
login with it
vault login
and you should be able to read only devops/fluentbit, not devops/another
vault kv get -mount=secret -format=json devops/fluentbit ==> OK vault kv get -mount=secret -format=json devops/another ==> 403
when you’re playing with an existing and production vault, you can grab your token from the UI
Tools / API Explorer
sys/health Execute
and then proceed as such
export VAULT_ADDR=https://...
vault login
https://developer.hashicorp.com/vault/tutorials/get-started/setup
https://developer.hashicorp.com/vault/docs/concepts/policies
https://developer.hashicorp.com/vault/docs/commands/token/create
https://developer.hashicorp.com/vault/docs/secrets/kv
https://stackoverflow.com/questions/66793510/vault-hashicorp-add-new-policy-to-existing-users-tokens
https://mattias.engineer/courses/vault/hello-world/ ==> nice
https://developer.hashicorp.com/vault/tutorials/get-started/learn-cli ==> vault token create from cli
https://discuss.hashicorp.com/t/how-to-generate-and-renew-vault-token-inside-docker-container/69432/2 ==> k8s auth renew token