49 lines
1.1 KiB
Markdown
49 lines
1.1 KiB
Markdown
# HashiCorp Vault Policies
|
|
|
|
## Policy Commands
|
|
|
|
```bash
|
|
vault policy list
|
|
vault policy read <policy-name>
|
|
vault policy write <policy-name> <policy-file.hcl>
|
|
vault policy delete <policy-name>
|
|
```
|
|
|
|
Format a policy file using `vault policy fmt <policy-file.hcl>`.
|
|
|
|
## Auditing
|
|
|
|
To enable auditing, use the following command:
|
|
|
|
```bash
|
|
vault audit enable file file_path=/var/log/vault_audit.log mode=0640
|
|
```
|
|
|
|
Configure Alloy to read the audit logs from the specified file path.
|
|
|
|
Add the following configuration to your Alloy setup:
|
|
|
|
```hcl
|
|
loki.source.file "vault_audit_log" {
|
|
targets = [
|
|
{"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info"},
|
|
]
|
|
forward_to = [loki.write.default.receiver]
|
|
tail_from_end = true
|
|
}
|
|
```
|
|
|
|
> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries. It is (probably) required because the audit log file does not contain timestamps and only entry guids.
|
|
|
|
Check auditing configuration with:
|
|
|
|
```bash
|
|
vault audit list -detailed
|
|
```
|
|
|
|
To disable auditing, use:
|
|
|
|
```bash
|
|
vault audit disable file
|
|
```
|