1. Create your first Gate

⛩️ Enabling a Gate

This page uses the Policy Gate plugin as an example, as it also handles integrations with Vault/OpenBao Secrets Engines (such as Kubernetes, AWS, etc) covering a variety of use-cases.

Other plugins have to be configured following their respective Configuration section, and GatePlane Terraform Module.

Using CLI tools

In this example, the Policy Gate plugin will be used to protect a Vault/OpenBao path, such as aws/prod/object-writer, which can be an AWS Secrets Engine (see for Vault/OpenBao), providing AWS Credentials of an IAM User that can do s3:PutObject actions to critical S3 buckets (e.g: the company’s website).

In that case, a Vault/OpenBao policy must exist (e.g: aws-prod-object-writer) that allows access to this path, as follows:

aws-prod-object-writer.hcl

path "aws/prod/object-writer" {
    capabilities = ["read"]
}

To create expiring Vault/OpenBao tokens of this policy, based on approvals, a Gate must be created using the Policy Gate plugin:

vault enable gateplane-policy-gate -path auth/gateplane/aws-prod-object-writer

Hint

The auth/gateplane/aws-prod-object-writer path is used for clarity. Any auth/-prefixed path can be used.

Then, configuring this Gate to grant access to the aws-prod-object-writer policy requires accessing the /config endpoint:

vault write auth/gateplane/aws-prod-object-writer/config \
    policies=aws-prod-object-writer \  # multiple policies can be protected at once - separated by comma
    required_approvals=1 \             # additional options can be provided
    require_reason=true

With that, the /request, /approve and /claim endpoints of auth/gateplane/aws-prod-object-writer will be usable as in the Usage Example.

Using GatePlane Terraform modules

The Policy Gate Terraform module simplifies the above task, also creating helper policies that allow access to /request, /approve and /claim endpoints, ready to be assigned to Vault/OpenBao Entities.

module "gateplane_aws-prod-object-writer" {
  depends_on = [module.gateplane_setup] // the module registering the plugins
  source     = "github.com/gateplane-io/terraform-gateplane-policy-gate?ref=0.1.0"
 
  name            = "aws-prod-object-writer"    // The name to be used in the endpoint and policies
  path_prefix     = "gateplane"                 // The path prefix
  endpoint_prefix = ""                          // A prefix for the endpoint
 
  // The Vault/OpenBao path to protect can be used directly
  protected_path_map = {
    "auth/gateplane/aws-prod-object-writer" = ["read"]
  }
 
  // The configuration provided to /config
  plugin_options = {
    "required_approvals" : 1,
    "require_reason": true,
  }
}
 
output "policies" {
    description = "These policies can be used to access the created Gate"
    value = [
        # Grants access to 'claim' and 'create' access requests
        module.gateplane_aws-prod-object-writer.policy_names["requestor"],
        # Grants access to 'list' and 'approve' access requests
        module.gateplane_aws-prod-object-writer.policy_names["approver"],
    ]
}

Hint

This Terraform module also adds capabilities to the requestor and approver policies so they can be used with GatePlane WebUI, through the enable_ui parameter.