<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/acme.jpeg width=100 align=left>

<img src="images/policy-workflow.png">

**Prerequisites:**
- Vault binary


Before you begin, execute the following command in a separate windows:

`VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 vault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional`


In [4]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=root

In [48]:
vault --version

[0mVault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)[0m


In [47]:
vault status

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    3
Threshold       2
Version         1.6.0
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-eb5fbb0c
Cluster ID      ee93a68b-c56b-0275-1460-88c0df32a576
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active[0m


#### Note the Initialized and Sealed status above.

## Create Policy

<img src="images/vault-policy-2.png" width=500>

 
ACL policy **PATH** supports wildcard matching ("**+**", "**\***")  
**PATH** corresponds to Vault API endpoints.  **No policy means no permission**  


List of capabilities  

| Capability | HTTP Verbs |
|------------|------------|
| create | POST/PUT |
| read | GET |
| update | POST/PUT |
| delete | DELETE |
| list | LIST |
| sudo | allows access to paths that are **root-protected** |
| deny | disallows access regardless of other capabilities |

Two out-of-the-box policies, they can't be deleted:
* **root** policy - superuser with all permissions
* **default** policy - common permissions  


In [2]:
# Work with kv secrets engine

cat << EOF > /tmp/base.hcl

path "kv/data/training_*" {
  capabilities = [ "create", "read" ]
}

path "kv/data/+/apikey" {
  capabilities = [ "create", "read", "update", "delete" ]
}

EOF

In [84]:
cat << EOF > /tmp/base.json
{
"policy": "
   {
    \"path\" : {
           \"kv/data/training_*\" : { \"capabilities\" : [ \"create\", \"read\" ] },
           \"kv/data/+/api2key\" : { \"capabilities\" : [ \"create\", \"read\", \"update\", \"delete\"] }
           }
  }
  "
}
EOF


**Note:** in *key/value secret engine 2*, the path to write policy would be **kv/data/\<path\>** even though the CLI command to the path is **kv/\<path\>**

### POlicy CLI Commands
```
vault policy list|read|write|delete [options]
```

In [62]:
vault login root
vault secrets enable -path=kv/ kv-v2

[0mSuccess! Enabled the kv-v2 secrets engine at: kv/[0m


In [77]:
vault policy write base /tmp/base.hcl  

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       TXR5jqtVDDwvSQyCwbziAhYq
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m
[0mSuccess! Uploaded policy: base[0m


In [32]:
vault secrets list

[0mPath          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_540e1719    per-token private secret storage
identity/     identity     identity_bb228414     identity store
secret/       kv           kv_dfad0eb2           key/value secret storage
sys/          system       system_9878252a       system endpoints used for control, policy and debugging[0m


**Using cURL**

In [87]:
curl --header "X-Vault-Token: root" --request PUT \
  --data @/tmp/base.json \
  $VAULT_ADDR/v1/sys/policy/base

In [88]:
curl -s --header "X-Vault-Token: root"\
  $VAULT_ADDR/v1/sys/policy | jq

[1;39m{
  [0m[34;1m"keys"[0m[1;39m: [0m[1;39m[
    [0;32m"base"[0m[1;39m,
    [0;32m"base2"[0m[1;39m,
    [0;32m"corepolicy"[0m[1;39m,
    [0;32m"default"[0m[1;39m,
    [0;32m"education"[0m[1;39m,
    [0;32m"foo"[0m[1;39m,
    [0;32m"team-eng"[0m[1;39m,
    [0;32m"team-qa"[0m[1;39m,
    [0;32m"test"[0m[1;39m,
    [0;32m"root"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"policies"[0m[1;39m: [0m[1;39m[
    [0;32m"base"[0m[1;39m,
    [0;32m"base2"[0m[1;39m,
    [0;32m"corepolicy"[0m[1;39m,
    [0;32m"default"[0m[1;39m,
    [0;32m"education"[0m[1;39m,
    [0;32m"foo"[0m[1;39m,
    [0;32m"team-eng"[0m[1;39m,
    [0;32m"team-qa"[0m[1;39m,
    [0;32m"test"[0m[1;39m,
    [0;32m"root"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"request_id"[0m[1;39m: [0m[0;32m"b501d2b0-b7f1-dd28-dae5-8aa5eca3eb7a"[0m[1;39m,
  [0m[34;1m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"renewable"[0m[1;39m: [0m[0;39mf

In [89]:
vault policy read base

[0m{    "path" : {           "kv/data/training_*" : { "capabilities" : [ "create", "read" ] },           "kv/data/+/api2key" : { "capabilities" : [ "create", "read", "update", "delete"] }           }  }[0m


#### Create a token attached to the newly *base* policy

In [34]:
vault token create -policy="foo"

[0mKey                  Value
---                  -----
token                s.CO6TDYdpsgE4I4MzmpAvXNf4
token_accessor       SaYsMLki6qJDl4dYSWV6SbaT
token_duration       768h
token_renewable      true
token_policies       ["default" "foo"]
identity_policies    []
policies             ["default" "foo"][0m


**Note:** every token automatically gets *default* policy attached.

In [36]:
unset VAULT_TOKEN
vault login "s.CO6TDYdpsgE4I4MzmpAvXNf4"

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                s.CO6TDYdpsgE4I4MzmpAvXNf4
token_accessor       SaYsMLki6qJDl4dYSWV6SbaT
token_duration       767h59m35s
token_renewable      true
token_policies       ["default" "foo"]
identity_policies    []
policies             ["default" "foo"][0m


---
## Test "base" Policy

Using base token, you have very limited permissions.

In [38]:
vault policy list

[91mError listing policies: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/policies/acl?list=true
Code: 403. Errors:

* 1 error occurred:
	* permission denied

[0m


Using base token, you have very limited permissions.  THe base policy does not have a rule on `sys/policy` path.  Lack of policy means **no permission** on that path.  Therefore, "permission denied" error is the expected behavior.

In [39]:
vault kv put kv/training_test password="p@ssw0rd"

[91mError making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/training_test
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "kv/training_test/"[0m


#### Read the data back

In [40]:
vault kv get kv/training_test

[91mError making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/training_test
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "kv/training_test/"[0m


#### Base policy only granst "create" and "read".  With the absence of "update" permission, this operation fails.

In [41]:
vault kv put kv/training_test password="password1234"

[91mError making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/training_test
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "kv/training_test/"[0m


In [42]:
vault kv put kv/team-eng/apikey api_key="123455"

[91mError making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/team-eng/apikey
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "kv/team-eng/apikey/"[0m


In [69]:
vault kv delete kv/team-eng/apikey

[0mSuccess! Data deleted (if it existed) at: kv/team-eng/apikey[0m


In [70]:
vault kv put kv/training_ year="2020"

[0mKey              Value
---              -----
created_time     2020-12-24T12:37:12.846247Z
deletion_time    n/a
destroyed        false
version          1[0m


&nbsp;   
### Check Token capabilities
The `vault token capabilities` command fetches the capabilities of a token for a given path.  You can review the policy, but if your token has multiple policies attached, you have to review all the associated policies which can get troublesome.

In [44]:
vault token capabilities kv/data/apikey

[0mdeny[0m


In [45]:
vault token capabilities kv/data/splunk/apikey

[0mcreate, delete, read, update[0m


#### Try another path that is not permitted by the `base` policy

In [83]:
vault token capabilities kv/data/test

[0mdeny[0m


In [85]:
vault login root >/dev/null
vault token capabilities kv/data/test

[0mroot[0m


---
### Policy for Policies
To allow users to be able to manage policies, you need to write policies for that

In [77]:
cat << EOF > /tmp/manage-policies.hcl

path "sys/policies/acl/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create and manage ACL policies via API
path "sys/policies/acl" {
  capabilities = ["list"]
}
EOF

&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 align="left">