1

In Vault documentation, specifically the policies page, there is this phrase:

Everything in Vault is path based, and policies are no exception

I wonder about this phrase, does it mean that in the architecture of Vault and in its internals everything really is a path, similar to the "Everything is a file" in Linux architecture, which applies on processes, files, directories, sockets, pipes, etc?

What makes me relate to this phrase is that secret engines are defined by paths, and I assume Vault infers their types and which to be used from the given paths. Also policies are relatable as you have to define exact paths for each policy, but what about other components like auth methods, audits, tokens, etc?

I just want to get what is meant by "path based" in "Everything in Vault is path based" phrase.

Wazery
  • 15,394
  • 19
  • 63
  • 95
  • I would assume this means all of the engines, their configurations, and their usage are path-based, but I am not 100% confident. These paths also usually correlate to the API endpoints. – Matthew Schuchard Jan 20 '22 at 22:05

2 Answers2

3

In Vault, everything is path based. This means that every operation that is performed in Vault is done through a path. The path is used to determine the location of the operation, as well as the permissions that are required to execute the operation.

XPTO
  • 129
  • 2
3

Whether you're using the vault binary or whether you're hitting the HTTP API endpoints, secrets/configs are written to a path.

i.e. via cli:

VAULT_ADDR=https://myvault.example.com VAULT_TOKEN=xxxxxxxx-xxxxxxx-xxxxxx vault kv get mysecrets/passwords/root

would correspond to HTTP endpoint:

curl \
    -H "X-Vault-Token: xxxxxxx-xxxxxx-xxxxxxx" \
    -X GET \
    https://myvault.example.com/v1/mysecrets/passwords/root

Here's another example:

  • enabling the gcp secret engine with a custom path:
vault secrets enable -path=”my-project-123” gcp

If you wanted to enable secrets engines from the HTTP API, the endpoint (path) is /sys/mounts. Details here.

  • creating writing a config:
vault write my-project-123/config credentials=@/path/to/creds.json ttl=3600 max_ttl=21600

Notice how the config is written to a path, and if you were to use the HTTP API endpoint to do this, then it would look something like this:

curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    https://myvault.example.com/v1/my-project-123/config

Where the payload.json would contain your credentials in text, ttl, max_ttl

Hence why they Vault says everything is path based.

EDIT: TL;DR - path based is so that there's parity between HTTP API and CLI (or any SDKs too). Compare this to a gcloud or aws command to its HTTP API endpoint counterpart where there isn't much parity there.

Glen Yu
  • 698
  • 1
  • 3
  • 9