A company wants to grant developers the ability to read and write secrets under the path 'secret/dev/*', but only they should be able to delete their own secrets. Which policy design best meets this requirement?
Trap 1: path "secret/dev/*" { capabilities = ["create", "read", "update",…
This allows delete on all secrets, not just the user's own.
Trap 2: path "secret/dev/*" { capabilities = ["read", "list"] }
This only allows read and list, not write or delete.
Trap 3: path "secret/dev/+/{{identity.entity.name}}" { capabilities =…
The '+' wildcard matches a single directory level, but the path pattern may not cover all desired paths; also missing 'list'.
- A
path "secret/dev/*" { capabilities = ["create", "read", "update", "delete", "list"] }
Why wrong: This allows delete on all secrets, not just the user's own.
- B
path "secret/dev/*" { capabilities = ["read", "list"] }
Why wrong: This only allows read and list, not write or delete.
- C
path "secret/dev/+/{{identity.entity.name}}" { capabilities = ["create", "read", "update", "delete"] }
Why wrong: The '+' wildcard matches a single directory level, but the path pattern may not cover all desired paths; also missing 'list'.
- D
path "secret/dev/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/dev/{{identity.entity.name}}/*" { capabilities = ["delete"] }
Correctly grants full access to the dev path, but delete is only allowed on the user's own sub-path using entity name.