upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-18 18:38:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

docs: add note for rolesets to avoid globs in policies (#12756)

Browse source 
* docs: add note for rolesets to avoid wildcards in policies

* Add note about not using example

* Change wildcard to glob

* Update website/content/docs/upgrading/upgrade-to-1.8.0.mdx

Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>

* Update documentation per review

* Update per review

* Update website/content/docs/upgrading/upgrade-to-1.8.0.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
This commit is contained in:
Jason O'Donnell 2021-10-07 15:35:56 -04:00 committed by GitHub
parent 3dab9d2320
commit 035eb77999
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
website/content/docs/secrets/gcp.mdx
View file

@ -75,6 +75,34 @@ when creating or updating the roleset.
For more information on the differences between rolesets and static accounts, see the
[things to note](#things-to-note) section below.
### Roleset Policy Considerations
Starting with Vault 1.8.0, existing permissive policies containing globs
for the GCP Secrets Engine may grant additional privileges due to the introduction
of `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` endpoints.
The following policy grants a user the ability to read all rolesets, but would
also allow them to generate tokens and keys. This type of policy is not recommended:
```hcl
# DO NOT USE
path "/gcp/roleset/*" {
capabilities = ["read"]
}
```
The following example demonstrates how a wildcard can instead be used in a roleset policy to
adhere to the principle of least privilege:
```hcl
path "/gcp/roleset/+" {
capabilities = ["read"]
}
```
For more more information on policy syntax, see the
[policy documentation](/docs/concepts/policies#policy-syntax).
### Examples
To configure a roleset that generates OAuth2 access tokens (preferred):

7
website/content/docs/upgrading/upgrade-to-1.8.0.mdx
View file

@ -27,6 +27,9 @@ The following API endpoints have been deprecated and will be removed in a future
* `/gcp/token/:roleset` and `/gcp/key/:roleset` paths for generating secrets for rolesets
in GCP Secrets. Use `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` instead.
-> **Note:** Policies containing globs should be avoided when giving users read access
to `/gcp/roleset` to avoid giving users permissions to generate tokens.
## Go Version
Vault 1.8.0 is built with Go 1.16. Please review the [Go Release
@ -48,3 +51,7 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:
the defaults when a new package was installed. This
[issue](https://github.com/hashicorp/vault/issues/12275) affects RedHat
packages for Vault 1.8.0 and the 1.8.1-0 package, and is fixed in 1.8.1-1 and up.
- The introduction of `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` could inadvertently give
users the ability to generate tokens and key if globs are used in policies. To avoid issues like this,
globs should be avoided in policies to help adhere to the principle of least privilege. See the
[roleset documentation](/docs/secrets/gcp#rolesets) for more information.