vault_client_policy {vaultr}R Documentation

Vault Policy Configuration

Description

Vault Policy Configuration

Vault Policy Configuration

Details

Interact with vault's policies. To get started, you may want to read up on policies as described in the vault manual, here: https://developer.hashicorp.com/vault/docs/concepts/policies

Super class

vaultr::vault_client_object -> vault_client_policy

Methods

Public methods

Inherited methods

Method new()

Create a vault_client_policy object. Not typically called by users.

Usage
vault_client_policy$new(api_client)
Arguments
api_client

A vault_api_client object


Method delete()

This endpoint deletes the policy with the given name. This will immediately affect all users associated with this policy.

Usage
vault_client_policy$delete(name)
Arguments
name

Specifies the name of the policy to delete.


Method list()

Lists all configured policies.

Usage
vault_client_policy$list()

Method read()

Retrieve the policy body for the named policy

Usage
vault_client_policy$read(name)
Arguments
name

Specifies the name of the policy to retrieve


Method write()

Create or update a policy. Once a policy is updated, it takes effect immediately to all associated users.

Usage
vault_client_policy$write(name, rules)
Arguments
name

Name of the policy to update

rules

Specifies the policy document. This is a string in "HashiCorp configuration language". At present this must be read in as a single string (not a character vector of strings); future versions of vaultr may allow more flexible specification such as ⁠@filename⁠

Examples

server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
  client <- server$client()

  # The test server starts with only the policies "root" (do
  # everything) and "default" (do nothing).
  client$policy$list()

  # Here let's make a policy that allows reading secrets from the
  # path /secret/develop/* but nothing else
  rules <- 'path "secret/develop/*" {policy = "read"}'
  client$policy$write("read-secret-develop", rules)

  # Our new rule is listed and can be read
  client$policy$list()
  client$policy$read("read-secret-develop")

  # For testing, let's create a secret under this path, and under
  # a different path:
  client$write("/secret/develop/password", list(value = "password"))
  client$write("/secret/production/password", list(value = "k2e89be@rdC#"))

  # Create a token that can use this policy:
  token <- client$auth$token$create(policies = "read-secret-develop")

  # Login to the vault using this token:
  alice <- vaultr::vault_client(addr = server$addr,
                                login = "token", token = token)

  # We can read the paths that we have been granted access to:
  alice$read("/secret/develop/password")

  # We can't read secrets that are outside our path:
  try(alice$read("/secret/production/password"))

  # And we can't write:
  try(alice$write("/secret/develop/password", list(value = "secret")))

  # cleanup
  server$kill()
}

[Package vaultr version 1.2.0 Index]