Vault Token Capabilities

[simon-mags]

I am trying to test if a user has write access to the vault path before we write to the vault path, my local team suggested looking at the vault token capabilities command, which does just what I need as it returns if the user has access to the folder or path.

# vault token capabilities path/to/secrets/kv/data/folder/secret
create, delete, list, patch, read, update

My understanding is that if it only returns list then the user basically has no access, which is the condition we want to test for. This would be to stop the event of a user creating a new secret and writing it to the path and that write failing, this gives us a test we can run before creating the new secret to confirm they have write access to the specified path.

I've not seen a native ansible module to do this or a similar operation which would yield the same result, keen to discuss ideas here :)

[briantist]

Hi @simon-mags , it's true there is no dedicated plugin to access this capability, but it is possible with existing content!

First, getting token capabilities is provided by two different API paths: sys/capabilities for querying any arbitrary token, and sys/capabilities-self for querying the token making the request. It's probably the latter that you want, given your use case.

We can see from the docs that these APIs take a POST verb which makes them writes, and it takes a parameter called paths which is a list of paths you want to check the capabilities against.

We can use the vault_write module or lookup to write to this endpoint.

- name: Check token capabilities
  register: token_caps
  community.hashi_vault.vault_write:
    url: https://vault:8201
    path: sys/capabilities-self
    data:
      paths: 
        - path/to/secrets/kv/data/folder/secret

- name: Show capabilities
  ansible.builtin.debug:
    var: token_caps.data.data["path/to/secrets/kv/data/folder/secret"]

- ansible.builtin.assert:
    that:
      - '"create" in token_caps.data.data["path/to/secrets/kv/data/folder/secret"]'
      - '"update" in token_caps.data.data["path/to/secrets/kv/data/folder/secret"]'

If you passed multiple paths, you index by the path to get the capabilities for that path. If you pass a single path, you can also use token_caps.data.data.capabilities but that key will be missing with multiple paths so keep that in mind.

You might also prefer lookup form for this use case, but keep in mind the differences between lookups which run on the controller on every reference to them, and modules which run on each host and only execute at the time of the task: https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/docsite/lookup_guide.html

- name: Write a secret 
  vars:
    path: path/to/secrets/kv/data/folder/secret
    cap_data:
      paths:
        - '{{ path }}'
    caps: "{{ lookup('community.hashi_vault.vault_write', 'sys/capabilities-self', data=cap_data).data[path] }}"
  when:
    - "'create' in caps"
    - "'update' in caps"
  community.hashi_vault.vault_kv2_write:
    path: '{{ path }}'
    data:
      key1: one
      key2: two

This example assumes that the module call to write to kv2 is either running on localhost (the controller), or that the token being used on the remote host and on the controller are the same, so be careful if these assumptions don't hold true.

---

If you are interested in seeing dedicated content for checking capabilities and are interested in creating a PR for that, let me know!