With the requirements listed below, what would such a policy look like?

An administrator wants to create a new KV mount for individual users to maintain their own secrets but needs a way to simplify the policy so they don’t need to write a new one for each new user?

With the requirements listed below, what would such a policy look like?

Requirement: Each user can perform all operations on their allocated key/value secret path
A . path "user-kv/data/{{identity.entity.name}}/*" { capabilities = [ "create", "update", "read", "delete", "list" ] }
B . path "user-kv/data/{{identity.entity.id.name}}/*" { capabilities = [ "create", "update", "read", "delete", "list" ] }
C . path "user-kv/data/{{identity.entity.aliases.<<mount accessor>>.id}}/*" { capabilities = [ "create", "update", "read", "delete", "list" ] }
D . path "user-kv/data/{{user}}/*" {
capabilities = [ "create", "update", "read", "delete", "list" ]
}

Answer: A

Explanation:

Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

The policy template makes it very flexible to customize the environment. By using parameters within your template, you can have Vault "insert" a value into the path based upon things like identity values, group membership, and metadata associated with either the user’s identity or group they are a member of.

Using the parameter, the path user-kv/data/{{identity.entity.name}}/* converts to user-kv/data/student01/*

Latest VA-002-P Dumps Valid Version with 200 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments