Creating a HashiCorp Policy
The HashiCorp administrator must create a policy that contains the permissions that are required to read and list the credentials and roles from the HashiCorp vault.
Procedure
The following is an example of a policy with the minimum amount of privilege that is required
to access the vault.
# Permissions to dynamic roles and creds for different paths
path "database/creds/*" {
capabilities = [ "read", "list" ]
}
# Permissions to dynamic roles and creds for different paths
path "database/roles/*" {
capabilities = [ "read", "list" ]
}
# Permissions to static roles and creds for different paths
path "database/static-creds/*" {
capabilities = [ "read", "list" ]
}
# Permissions to static roles and creds for different paths
path "database/static-roles/*" {
capabilities = [ "read", "list" ]
}
# Permissions to dynamic roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/creds/*" {
capabilities = [ "read", "list" ]
}
# Permissions to dynamic roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/roles/*" {
capabilities = [ "read", "list" ]
}
# Permissions to static roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/static-creds/*" {
capabilities = [ "read", "list" ]
}
# Permissions to static roles and creds for different paths
path "custom/123/abc123/databases/mongo/mongo123/static-roles/*" {
capabilities = [ "read", "list" ]
}
# Configure for client web certificates
path "auth/*" {
capabilities = [ "read" ]
}