slawek/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates to identity docs.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-01-20 19:51:40 +01:00
parent ba8d65173b
commit b887ade155
3 changed files with 59 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/Identity.md
View File

@@ -55,14 +55,20 @@ You can also set VAULT_TOKEN with the following command:
export VAULT_TOKEN=$(vault login -token-only -method=userpass username="your-username") export VAULT_TOKEN=$(vault login -token-only -method=userpass username="your-username")
``` ```
> **Note:** The `-token-only` is an equivalent of `-field=token -no-store` options. or a function like this:
You can also use the following command to set VAULT_TOKEN and TOKEN_ACCESSOR:
```bash ```bash
export TOKEN_ACCESSOR=$(vault token lookup -format=json | jq -r .data.accessor) function v_login() {
local VAULT_USERNAME=${1:-"your-username"}
vault login -format=json -method=userpass username="$VAULT_USERNAME" |
jq -r '.auth | [.client_token, .accessor] | @tsv' | read -r VAULT_TOKEN TOKEN_ACCESSOR
echo "Logged in as $VAULT_USERNAME (Token accessor: $TOKEN_ACCESSOR)"
export VAULT_TOKEN TOKEN_ACCESSOR
}
``` ```
> **Note:** The `-token-only` is an equivalent of `-field=token -no-store` options.
You can then use the `TOKEN_ACCESSOR` to look up token details without exposing the actual token. You can then use the `TOKEN_ACCESSOR` to look up token details without exposing the actual token.
```bash ```bash
@@ -96,3 +102,6 @@ Read user details:
```bash ```bash
vault read auth/userpass/users/username vault read auth/userpass/users/username
``` ```
## Entities and Groups

25
docs/README.md Normal file
View File

@@ -0,0 +1,25 @@
# General Vault Links and Commands
## Useful commands
Display the `curl` equivalent of a Vault CLI command:
```bash
vault <any_command> -output-curl-string
```
The following are equivalent:
```bash
curl -s -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" "https://vault.koszewscy.waw.pl/v1/auth/userpass/users?list=true"
```
and
```bash
curl -s -X LIST -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" https://vault.koszewscy.waw.pl/v1/auth/userpass/users
```
because the Vault uses non-standard HTTP method `LIST` for listing resources.
---

21
policies/README.md
View File

@@ -1,5 +1,16 @@
# HashiCorp Vault Policies # HashiCorp Vault Policies
## Defualt Policy
The **default** policy is created automatically when Vault is initialized, but can be modified as needed. It provides basic access to Vault features for authenticated users.
To restore the default policy to the newest default version, launch a development Vault server and copy the default policy from there:
```bash
vault policy read default > default_policy.hcl
vault policy write default default_policy.hcl
```
## Policy Commands ## Policy Commands
```bash ```bash
@@ -11,6 +22,12 @@ vault policy delete <policy-name>
Format a policy file using `vault policy fmt <policy-file.hcl>`. Format a policy file using `vault policy fmt <policy-file.hcl>`.
Display required capabilities for a given path with:
```bash
vault <anycommand> -output-policy
```
## Auditing ## Auditing
To enable auditing, use the following command: To enable auditing, use the following command:
@@ -46,3 +63,7 @@ To disable auditing, use:
```bash ```bash
vault audit disable file vault audit disable file
``` ```
## References
- [RSoP Tool](https://github.com/threatkey-oss/hvresult) - **hvresult** computes the Resultant Set of Policy (RSoP) for Hashicorp Vault ACLs.