HashiCorp Vault ACL example uses wrong capabilities and paths #387
Description
Description
The example ACL policy for HashiCorp vault currently allows the user to sign digests and export the public key for future signature verification.
However, if one tries to verify a signature using the Vault itself, it results in an error:
$ cosign verify --key hashivault://cosign $IMAGE_DIGEST
Error: no matching signatures: verify: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/transit/verify/cosign/sha2-256
Code: 403. Errors:
* 1 error occurred:
* permission denied
main.go:69: error during command execution: no matching signatures: verify: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/transit/verify/cosign/sha2-256
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ echo $?
12I’ve identified two issues with the example policy:
- The
verifyendpoint path should end with/*to allow different algorithms, similar tohmacandsign. - The
verifyendpoint requires theupdatecapability, notcreate.
Additionally, this simple sign/verify scenario does not require the update capability on hmac: read is sufficient.
With these adjustments, my working policy looks like this:
path "transit/keys/cosign" {
capabilities = ["read"]
}
path "transit/hmac/cosign/*" {
capabilities = ["read"]
}
path "transit/sign/cosign/*" {
capabilities = ["update"]
}
path "transit/verify/cosign/*" {
capabilities = ["update"]
}
$ cosign verify --key hashivault://cosign $IMAGE_DIGEST
Verification for localhost:5000/alpine@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"localhost:5000/alpine"},"image":{"docker-manifest-digest":"sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEYCIQCxrgdvQ6J27M4rDG75VOrUHVsxikakgfRyitLA5VWNSwIhAOgDBVIzX15Z7ilV+KooEbcvDhNr+VgxRnOn7JNSerzl","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1OGEzNDk0NGZjZDg0NGZkNzM4MjEyMDA3NWNkMWVmNjI5ZDk4NTJkODc0YWE1YjRlNDYwNTdhM2NiYjNiMTViIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUR6WENpQjFvejFRSldSUXF6QjRLSXVNZ2JFL2FSNmVwWXBSdXk2S0NFTzRRSWhBSVBaSWtMNFVQZzFuQTJZc0ZLRVZTUDZEY0ZoNS9VbU4rOXNWdVZjWmZyTCIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGZWtobWRXMXhkMWR2TjBVeGNWTk9OVTF0Y0ZsRmJWZFZkMlZ6V1FwQlFuQlVXR3BtV25SQ2JrTmtUMkZEVUhNMFJVZ3pPRTVXZEVNemQzUm1lRVJaVFUxNFVEazNSeTlvVnpCMlNVWTRiRVI0YzJSVE4waDNQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1752135686,"logIndex":269965683,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]
$ echo $?
0If you agree with these corrections and/or feel additional explanation would be helpful in the docs, I’d be happy to prepare a PR to update the example accordingly.