Creating Vault Policies for the Organization

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Opening the AWS Cloud9 IDE
lock
Installing HashiCorp Vault
lock
Starting the Vault Sever in Development Mode
lock
Understanding the LDAP Directory
lock
Creating Vault Policies for the Organization
lock
Configuring Vault LDAP Authentication
lock
Testing the LDAP Authentication and Access Policies
lock
Validate AWS Lab
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

Vault policies are used to control access to paths. Policies are written in HashiCorp Configuration Language (HCL). Policies are lists of paths and capabilities associated with the paths. Policies are associated with tokens that are generated when a user authenticates.

In this Lab Step, you will create two policies: one for the Engineering department, and one for the Research department in the LDAP directory. These policies will later be automatically bound to tokens generated for LDAP authenticated users. You will also create a couple of secrets to illustrate the paths that the policies control access to.

 

Instructions

1. In the Cloud9 terminal, enter the following commands to create secrets in the default key-value secrets/ path: 

Copy code
vault kv put secret/Engineering app_password=3nG1neErIng owner=Engineering
vault kv put secret/Research lab_coat_coupon_code=Linus18 owner=Research

alt

The version output indicates that versioning is in use by the key-value storage engine. Versioning is part of version 2 of the key-value storage engine. Development Vault servers use version 2 by default. With versioning enabled, secret paths are prefixed with data/. This means the secret data is actually stored at secret/data/Engineering and secret/data/Research. You need to grant access to these paths in policies instead of to secret/Engineering or secret/Research. Version 1 of key-value storage does not require modifying the paths.

 

2. Right-click Lab in the left Environment tab and click New File:

alt

 

3. In the highlighted file name field, enter Engineering.hcl:

alt

 

4. Create a second file named Research.hcl.

 

5. Open the Engineering.hcl file by double-clicking it and enter the following policy:

Copy code
path "secret/data/Engineering" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

alt

The policy gives full access to the secret/data/Engineering path.

 

6. Save the Engineering.hcl file by clicking File Save:

alt

 

7. Enter the following policy into the Research.hcl file:

Copy code
path "secret/data/Research" {
  capabilities = ["read"]
}

alt

 

8. Save the Research.hcl file.

 

9. In the newest Cloud9 terminal tab, enter the following commands to write the policies into Vault:

Copy code
vault policy write engineering Engineering.hcl
vault policy write research Research.hcl

alt

 

10. List the installed policies: 

Copy code
vault policy list

alt

The engineering and research policies are listed in addition to the default policies of default and root.

 

Summary

In this Lab Step, you created two Vault policies. The policies will be used later to authorize Vault users that authenticate with LDAP.