slawek/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vault/policies
History

README.md

HashiCorp Vault Policies

Defualt Policy

The default policy is created automatically when Vault is initialized, but can be modified as needed. It provides basic access to Vault features for authenticated users.

To restore the default policy to the newest default version, launch a development Vault server and copy the default policy from there:

vault policy read default > default_policy.hcl
vault policy write default default_policy.hcl

Policy Commands

vault policy list
vault policy read <policy-name>
vault policy write <policy-name> <policy-file.hcl>
vault policy delete <policy-name>

Format a policy file using vault policy fmt <policy-file.hcl>.

Display required capabilities for a given path with:

vault <anycommand> -output-policy

Auditing

To enable auditing, use the following command:

vault audit enable file file_path=/var/log/vault_audit.log mode=0640

Configure Alloy to read the audit logs from the specified file path.

Add the following configuration to your Alloy setup:

loki.source.file "vault_audit_log" {
    targets = [
        {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info", "service" = "vault"},
    ]
    tail_from_end = true
    forward_to = [loki.process.vault_audit.receiver]
}

loki.process "vault_audit" {
    stage.json {
        expressions = {error = "error"}
    }

    stage.labels {
        values = { __has_error = "error" }
    }

    stage.match {
        selector = "{__has_error!=\"\"}"

        stage.static_labels {
            values = {level = "error"}
        }
    }

    stage.label_drop {
        values = ["__has_error"]
    }

    forward_to = [loki.write.default.receiver]
}

Note: tail_from_end = true ensures that only new log entries are read, preventing the ingestion of old lines/entries. It is (probably) required because the audit log file does not contain timestamps and only entry guids. Without this setting, Alloy may re-ingest old log entries upon restart.

loki.process extracts message level from the error field in the JSON log entry.

Check auditing configuration with:

vault audit list -detailed

To disable auditing, use:

vault audit disable file

References

  • RSoP Tool - hvresult computes the Resultant Set of Policy (RSoP) for Hashicorp Vault ACLs.
Reference in New Issue View Git Blame Copy Permalink