Comments (4)
Unlike generic or transit, the PKI backend requires significant configuration that we (the broker) cannot possibly know in advance. This is also why we recommend running Vault as its own service. As a Vault administrator, you can configure it to enable the PKI backend with the proper things.
from vault-service-broker.
@sethvargo - So do you recommend to have the policy manually modified, for the token generated when the broker service instance is created ?
from vault-service-broker.
You can attach multiple policies to the token during generation, so you would change the policy that is applied when the broker creates a token.
from vault-service-broker.
@sethvargo - I didn't understand. Are you saying an operator should grab hold of the service instance id and go to the vault server and edit the policy for the same ?
#vault policies cf-53d02677-5b17-4044-ad2d-00de655ceba5
path "cf/53d02677-5b17-4044-ad2d-00de655ceba5" {
capabilities = ["list"]
}
path "cf/53d02677-5b17-4044-ad2d-00de655ceba5/*" {
policy = "write"
}
path "cf/d0cae1cd-e4e2-44f4-9718-a1f6d54d605b" {
capabilities = ["list"]
}
path "cf/d0cae1cd-e4e2-44f4-9718-a1f6d54d605b/*" {
policy = "write"
}
path "cf/9a9fb216-42ae-4bfb-865e-69b44e256a98" {
capabilities = ["list"]
}
path "cf/9a9fb216-42ae-4bfb-865e-69b44e256a98/*" {
policy = "read"
}
from vault-service-broker.
Related Issues (20)
- Database error when deleting app using vault broker HOT 3
- Bug while renewing the client tokens for the Binds
- The id field of the plan does not pass a guid regex check HOT 6
- Add Dockerfile HOT 2
- Should different CF apps get different policies? HOT 6
- Support using resolved org and space names instead of GUID HOT 8
- Examples of how to use the service broker HOT 6
- Vault cli add and update secret HOT 2
- Error renewing Vault token while starting broker
- Error binding to Vault HOT 1
- Support for Namespaces HOT 2
- using name-space in vault HOT 1
- failed to start broker failed to create mounts: x509: certificate signed by unknown authority HOT 4
- Is there any plans create a PCF Tile Deployment?
- sys/policies/acl/cf 403 on binding vault to app HOT 1
- The service broker failed to connect to a Vault server configured with a self-signed certificate
- How an bound app can connect to a Vault cluster in High Availability (HA) mode?
- Project still maintained & Unbind + Service deletion not working for mounts HOT 1
- GitHub Actions - deprecated warnings found - action required!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-service-broker.