Vault web UI 雖然在一啟動時，就需要設定unseal,並初始化token登入才能到web頁面，但由於Vault管理了許多加密的資料，所以在ACL設定上比Consul,Nomad來的更豐富。
在Vault上所有功能都被設定為一個secret path, 所以在policy的設定上也是以secret path來設定capabilities,在預設的情況下所有的Policies都是deny的。
昨天有啟用了root token,今天來設定一個admin policy,並產生token.

ACL Rules

1. 一個rule的描述會像以下這樣，secret path是ithome/web賦予它read的能力。

path "ithome/web" {
  capabilities = ["read"]
}

2. 除了指定path,也可以使用*表示ithome以下的path都可以read或是ithome/api-開頭的名稱都可以read

path "ithome/*" {
  capabilities = ["read"]
}

path "ithome/api-*" {
  capabilities = ["read"]
}

3. 也可以使用+來表示path中任意值，例如:ithome/it/ops/account, ithome/it/dev/account可以read

path "ithome/+/+/account" {
  capabilities = ["read"]
}

4. 另外還有顆粒度更細的參數可以控制，如:required_parameters，allowed_parameters，denied_parameters

5. TTL的設定 min_wrapping_ttl，max_wrapping_ttl

6. capabilities的參數有:read,update,delete,list,sudo,deny.

設定一個Admin Policy

目前我們只有root token,但如同Linux一樣使用root並不是非常恰當，所以我們根據管理的需求建立admin policy.
以下為官網的範例:

# admin-policy.hcl
# Read system health check
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at `secret/` path

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

Create Policy and Token

1. 先用昨天的root token login

$ vault login s.74W0ZILvI9fbZRn9hxKify2r
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

2. 建立一個policy命名為admin

$ vault policy write admin admin-policy.hcl
Success! Uploaded policy: admin

3. 使用該policy建立token, 之後管理就可以使用這組token了

$ vault token create -policy=admin
Key                  Value
---                  -----
token                s.Vh4ob5CCxvA0vHrIqnJyjcjo
token_accessor       uAjyfICBC33TejTcupKVMiPb
token_duration       768h
token_renewable      true
token_policies       ["admin" "default"]
identity_policies    []
policies             ["admin" "default"]