Add auditing section to README with configuration and commands

Add policy files for Vault: admin, app_role, and identity policies
Add unwrap and wrap scripts for handling wrapped secrets in Vault
2026-01-18 12:06:56 +01:00 · 2026-01-18 12:01:42 +01:00 · 2026-01-18 12:01:29 +01:00 · 2026-01-18 12:01:20 +01:00 · 2026-01-18 12:01:09 +01:00
8 changed files with 155 additions and 0 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,6 @@
+{
+    "[hcl]": {
+        "editor.tabSize": 2,
+        "editor.insertSpaces": true
+    }
+}
--- a/README.md
+++ b/README.md
@@ -144,6 +144,12 @@ loki.source.file "vault_audit_log" {
 }
 ```

+Check the auditing configuration:
+
+```shell
+vault audit list -detailed
+```
+
 ### Main Vault Configuration

 Depending on main Vault state (new or existing), some of the following steps are mutually exclusive.
--- a/bin/unwrap.sh
+++ b/bin/unwrap.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Usage: ./unwrap.sh <VAULT_TOKEN>
+# This script unwraps a wrapped secret in HashiCorp Vault using the provided token.
+
+curl -s -X PUT \
+	-H "X-Vault-Token: $1" \
+	-H "X-Vault-Request: true" \
+	-d 'null' \
+	https://vault.koszewscy.waw.pl/v1/sys/wrapping/unwrap | jq '.data'
--- a/bin/wrap.sh
+++ b/bin/wrap.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+DEFAULT_TTL="60"
+ 
+curl \
+    --header "X-Vault-Token: $VAULT_TOKEN" \
+    --header "X-Vault-Wrap-TTL: $DEFAULT_TTL" \
+    --request POST \
+    --data "$1" \
+    $VAULT_ADDR/v1/sys/wrapping/wrap | jq 
--- a/policies/README.md
+++ b/policies/README.md
@@ -0,0 +1,45 @@
+# HashiCorp Vault Policies
+
+## Policy Commands
+
+```bash
+vault policy list
+vault policy read <policy-name>
+vault policy write <policy-name> <policy-file.hcl>
+vault policy delete <policy-name>
+```
+
+Format a policy file using `vault policy fmt <policy-file.hcl>`.
+
+## Auditing
+
+To enable auditing, use the following command:
+
+```bash
+vault audit enable file file_path=/var/log/vault_audit.log mode=0640
+```
+
+Configure Alloy to read the audit logs from the specified file path.
+
+Add the following configuration to your Alloy setup:
+
+```hcl
+loki.source.file "vault_audit_log" {
+    targets = [
+        {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit"},
+    ]
+    forward_to = [loki.write.default.receiver]
+}
+```
+
+Check auditing configuration with:
+
+```bash
+vault audit list -detailed
+```
+
+To disable auditing, use:
+
+```bash
+vault audit disable file
+```
--- a/policies/admin_policy.hcl
+++ b/policies/admin_policy.hcl
@@ -0,0 +1,51 @@
+# Read system health check
+path "sys/health" {
+  capabilities = ["read", "sudo"]
+}
+
+# Create and manage ACL policies broadly across Vault
+
+# List existing policies
+path "sys/policies/acl" {
+  capabilities = ["list"]
+}
+
+# Create and manage ACL policies
+path "sys/policies/acl/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Enable and manage authentication methods broadly across Vault
+
+# Manage auth methods broadly across Vault
+path "auth/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*" {
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth" {
+  capabilities = ["read"]
+}
+
+# Enable and manage the key/value secrets engine at `secret/` path
+
+# List, create, update, and delete key/value secrets
+# path "secret/*"
+# {
+#   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+# }
+
+# Manage secrets engines
+path "sys/mounts/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secrets engines.
+path "sys/mounts" {
+  capabilities = ["read"]
+}
--- a/policies/app_role_admin.hcl
+++ b/policies/app_role_admin.hcl
@@ -0,0 +1,19 @@
+# Mount the AppRole auth method
+path "sys/auth/approle" {
+  capabilities = [ "create", "read", "update", "delete", "sudo" ]
+}
+
+# Configure the AppRole auth method
+path "sys/auth/approle/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+
+# Create and manage roles
+path "auth/approle/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Write ACL policies
+path "sys/policies/acl/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
--- a/policies/identity_admin_policy.hcl
+++ b/policies/identity_admin_policy.hcl
@@ -0,0 +1,8 @@
+# Add identity admin role to the token
+path "identity/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "identity/entity/*/name" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
Author	SHA1	Message	Date
Slawomir Koszewski	fe38e97e02	Add auditing section to README with configuration and commands	2026-01-18 12:06:56 +01:00
Slawomir Koszewski	aca9f4c5ab	Add policy files for Vault: admin, app_role, and identity policies	2026-01-18 12:01:42 +01:00
Slawomir Koszewski	74a364c8e1	Add unwrap and wrap scripts for handling wrapped secrets in Vault	2026-01-18 12:01:29 +01:00
Slawomir Koszewski	691bcf2bb4	Add auditing configuration check command to README	2026-01-18 12:01:20 +01:00
Slawomir Koszewski	1034231806	Add VSCode settings for HCL file formatting	2026-01-18 12:01:09 +01:00