| vault_client_policy {vaultr} | R Documentation |
Vault Policy Configuration
Description
Vault Policy Configuration
Vault Policy Configuration
Details
Interact with vault's policies. To get started, you may want to read up on policies as described in the vault manual, here: https://developer.hashicorp.com/vault/docs/concepts/policies
Super class
vaultr::vault_client_object -> vault_client_policy
Methods
Public methods
Inherited methods
Method new()
Create a vault_client_policy object. Not typically
called by users.
Usage
vault_client_policy$new(api_client)
Arguments
api_clientA vault_api_client object
Method delete()
This endpoint deletes the policy with the given name. This will immediately affect all users associated with this policy.
Usage
vault_client_policy$delete(name)
Arguments
nameSpecifies the name of the policy to delete.
Method list()
Lists all configured policies.
Usage
vault_client_policy$list()
Method read()
Retrieve the policy body for the named policy
Usage
vault_client_policy$read(name)
Arguments
nameSpecifies the name of the policy to retrieve
Method write()
Create or update a policy. Once a policy is updated, it takes effect immediately to all associated users.
Usage
vault_client_policy$write(name, rules)
Arguments
nameName of the policy to update
rulesSpecifies the policy document. This is a string in "HashiCorp configuration language". At present this must be read in as a single string (not a character vector of strings); future versions of vaultr may allow more flexible specification such as
@filename
Examples
server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
client <- server$client()
# The test server starts with only the policies "root" (do
# everything) and "default" (do nothing).
client$policy$list()
# Here let's make a policy that allows reading secrets from the
# path /secret/develop/* but nothing else
rules <- 'path "secret/develop/*" {policy = "read"}'
client$policy$write("read-secret-develop", rules)
# Our new rule is listed and can be read
client$policy$list()
client$policy$read("read-secret-develop")
# For testing, let's create a secret under this path, and under
# a different path:
client$write("/secret/develop/password", list(value = "password"))
client$write("/secret/production/password", list(value = "k2e89be@rdC#"))
# Create a token that can use this policy:
token <- client$auth$token$create(policies = "read-secret-develop")
# Login to the vault using this token:
alice <- vaultr::vault_client(addr = server$addr,
login = "token", token = token)
# We can read the paths that we have been granted access to:
alice$read("/secret/develop/password")
# We can't read secrets that are outside our path:
try(alice$read("/secret/production/password"))
# And we can't write:
try(alice$write("/secret/develop/password", list(value = "secret")))
# cleanup
server$kill()
}