To allow a self-service token generation in Complector, allows the
Salt primary policy to issue tokens for the admin role.
Ref T1975.
Differential D3355
Allow Salt policy to create admin-level tokens dereckson on Jul 7 2024, 13:19. Authored by Tags None Referenced Files
Subscribers None
Details
To allow a self-service token generation in Complector, allows the Ref T1975. Issue an admin token with salt-primary policy
Diff Detail
Event TimelineComment Actions This is not the correct paths -> Salt returns a 403 when using this policy. It works with an overkill path "auth/*". Comment Actions By the way, the token used by Salt has the following properties: metadata: {'role_name': 'salt_primary'} policies: ['default', 'salt', 'salt-node-complector'] It means the policies read are salt (stable) and salt-node-complector (depends of the server name). Comment Actions To be able to use auth/token/create/admin, it needs a role admin, let's add it to the DRP bootstrap script: vault write auth/token/roles/admin allowed_policies=admin period=30d |