Search code examples
hashicorp-vault

How to identify what paths can be accessed with what capabilities in hashicorp vault for a given token?

I know we have an option to see what capabilities we have for a specific path for a given token

Example - using the command - vault token capabilities secret/foo

But is there a way to identify what are all the paths I can access for the given token with read or write or update like any capability.

I tried by vault token lookup to find the policy attached to my token. But I'm not able to read that policy to see what paths I have access.

vault token create -policy=read-policy -no-default-policy
Key                  Value
---                  -----
token                XXXXXXXXXXXXXXXXXXXXXXXX
token_accessor       R3uPmiu30Hw8HgSbFcS3wkDJ
token_duration       768h
token_renewable      true
token_policies       ["read-policy"]   ++++++++++++++++++++++++++++++++++++++++
identity_policies    []
policies             ["read-policy"]

After login using the token, if I try to read that policy

vault policy read read-policy
Error reading policy named read-policy: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/policies/acl/read-policy
Code: 403. Errors:

* 1 error occurred:
        * permission denied

So Do we have to include read capability for sys/policies/acl/read-policy in the creation of read policy hcl file?(Even i tried this but capabilities are denied in this path. seems only root can read) or as per vault design, we cannot see what paths we have access? unless otherwise vault admin says? Or de we have any commands to get that information?

Correct me if I'm wrong

Solution

  • Further dig more into vault, I found the solution for this. We have to run the below command which will give us what paths we have what capabilities

    vault read sys/internal/ui/resultant-acl --format=json | jq -r .data

    {
  "exact_paths": {
    "auth/token/lookup-self": {
      "capabilities": ["read"]
    },
    "sys/internal/ui/resultant-acl": {
      "capabilities": ["read"]
    },
    "sys/mounts": {
      "capabilities": ["list"]
    }
  },
  "glob_paths": {
    "sys/mounts/": {
      "capabilities": ["create", "delete", "list", "read", "sudo", "update"]
    }
  },
  "root": false
}

    So if we want our token users to know what path/capabilities they have then when we create policy we have to include the read capability to path sys/internal/ui/resultant-acl. Example i have created this policy for just managing secrets engine and i have included that capability, so that the user who is going to use the token which mapped to the policy can read what path/capability he or she have

    cat /tmp/secrets-mgmt.hcl

    path "sys/mounts/*" {
 capabilities = ["create","read","update","delete","list","sudo"]
}
path "sys/mounts" {
 capabilities = ["list"]
}
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
    capabilities = ["read"]
}

# based on how the internal ACL features and capabilities change.
path "sys/internal/ui/resultant-acl" {
    capabilities = ["read"]
}