0

I send a HTTP request to my Hashicorp Vault instance and receive a 403 HTTP response. How do I reverse engineer the policy I need to add from my request path?

curl \
-v \
-H "X-Vault-Token: $VAULT_TOKEN" \
https://myvault/v1/sys/plugins/catalog

< HTTP/2 403 
< date: Tue, 18 May 2021 20:52:52 GMT
< content-type: application/json
< content-length: 60
< cache-control: no-store
< strict-transport-security: max-age=15724800; includeSubDomains
< 
{"errors":["1 error occurred:\n\t* permission denied\n\n"]}
James
  • 199
  • 6
  • 17

1 Answers1

0

The Hashicorp vault does not suggest or show any error which permission is missing. Instead, you can have a more generic and even it's easy most of the time to set the permission if you look at the pattern or the way it's set.

In your case, I can see you are trying to perform a GET request to the path /sys/plugins/catalog and is getting 403.

so, you can have in the policy like this

path "sys/plugins/catalog" {
  capabilities = ["read"]
}

The GET request is of the capability type read, you can read more about these here.

more on the documentation .

TL;DR

The request you make, set it in the path. The method you trigger sets the equivalent capabilities. all would go in the policy. Use wildcard in the path and wherever you need(Just in case).

Saikat Chakrabortty
  • 2,520
  • 4
  • 22
  • 39