Creating a HashiCorp Policy

The HashiCorp administrator must create a policy that contains the permissions that are required to read and list the credentials and roles from the HashiCorp vault.

Procedure

The following is an example of a policy with the minimum amount of privilege that is required to access the vault.
# Permissions to dynamic roles and creds for different paths
path "database/creds/*" {
  capabilities = [ "read", "list" ]
}


# Permissions to dynamic roles and creds for different paths
path "database/roles/*" {
  capabilities = [ "read", "list" ]
}


# Permissions to static roles and creds for different paths
path "database/static-creds/*" {
  capabilities = [ "read", "list" ]
}

# Permissions to static roles and creds for different paths
path "database/static-roles/*" {
  capabilities = [ "read", "list" ]
}

# Permissions to dynamic roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/creds/*" {
  capabilities = [ "read", "list" ]
}


# Permissions to dynamic roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/roles/*" {
  capabilities = [ "read", "list" ]
}


# Permissions to static roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/static-creds/*" {
  capabilities = [ "read", "list" ]
}

# Permissions to static roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/static-roles/*" {
  capabilities = [ "read", "list" ]
}

# Configure for client web certificates
path "auth/*" {
  capabilities = [ "read" ]
}