Learn R
vaultr (version 1.2.0)

vault_client_policy: Vault Policy Configuration

Description

Vault Policy Configuration

Vault Policy Configuration

Arguments

Super class

vaultr::vault_client_object -> vault_client_policy

Methods

Inherited methods

Method new()

Create a vault_client_policy object. Not typically called by users.

Usage

vault_client_policy$new(api_client)

Arguments

api_client

A vault_api_client object

Method delete()

This endpoint deletes the policy with the given name. This will immediately affect all users associated with this policy.

Usage

vault_client_policy$delete(name)

Arguments

name

Specifies the name of the policy to delete.

Method list()

Lists all configured policies.

Usage

vault_client_policy$list()

Method read()

Retrieve the policy body for the named policy

Usage

vault_client_policy$read(name)

Arguments

name

Specifies the name of the policy to retrieve

Method write()

Create or update a policy. Once a policy is updated, it takes effect immediately to all associated users.

Usage

vault_client_policy$write(name, rules)

Arguments

name

Name of the policy to update

rules

Specifies the policy document. This is a string in "HashiCorp configuration language". At present this must be read in as a single string (not a character vector of strings); future versions of vaultr may allow more flexible specification such as @filename

Details

Interact with vault's policies. To get started, you may want to read up on policies as described in the vault manual, here: https://developer.hashicorp.com/vault/docs/concepts/policies

Examples

Run this code
server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
  client <- server$client()

  # The test server starts with only the policies "root" (do
  # everything) and "default" (do nothing).
  client$policy$list()

  # Here let's make a policy that allows reading secrets from the
  # path /secret/develop/* but nothing else
  rules <- 'path "secret/develop/*" {policy = "read"}'
  client$policy$write("read-secret-develop", rules)

  # Our new rule is listed and can be read
  client$policy$list()
  client$policy$read("read-secret-develop")

  # For testing, let's create a secret under this path, and under
  # a different path:
  client$write("/secret/develop/password", list(value = "password"))
  client$write("/secret/production/password", list(value = "k2e89be@rdC#"))

  # Create a token that can use this policy:
  token <- client$auth$token$create(policies = "read-secret-develop")

  # Login to the vault using this token:
  alice <- vaultr::vault_client(addr = server$addr,
                                login = "token", token = token)

  # We can read the paths that we have been granted access to:
  alice$read("/secret/develop/password")

  # We can't read secrets that are outside our path:
  try(alice$read("/secret/production/password"))

  # And we can't write:
  try(alice$write("/secret/develop/password", list(value = "secret")))

  # cleanup
  server$kill()
}

Run the code above in your browser using DataLab