How to find Hashicorp vault API endpoints that require sudo capability

Table of Contents

Short solution found in September 2023

sudo paths list can be found in the vault API source code at https://github.com/hashicorp/vault/blob/main/api/sudo_paths.go.

Step by step guide

Step 1 - Login to your vault instance

$ vault login ...

Step 2 - Get the OpenAPI spec

$ vault read -format=json sys/internal/specs/openapi > vault-openapi-spec.json

This will create a vault-openapi-spec.json file in your current directory.

This files describes all the Vault API endpoints according to OpenAPI specification.

Step 3 - Parse the vault-openapi-spec.json file

If you read carrefully the vault-openapi-spec.json file, you’ll find resources with x-vault-sudo set to true.

A little python program such as:

#!/usr/bin/env python3

import json
import sys

OPENAPI_SPEC_FILE = "vault-openapi-spec.json"


def main() -> int:
    with open(OPENAPI_SPEC_FILE, "r", encoding="utf-8") as openapi_spec_fd:
        spec = json.load(openapi_spec_fd)

    paths = spec["data"]["paths"]

    path_sudo_protected: list[str] = []
    for api_path, path_spec in paths.items():
        if "x-vault-sudo" in path_spec and path_spec["x-vault-sudo"] is True:
            path_sudo_protected.append(api_path)

    path_sudo_protected.sort()

    print("\n".join(path_sudo_protected))

    return 0


if __name__ == "__main__":
    sys.exit(main())

is enough to list all the API endpoints that have this x-vault-sudo attribute.

Here is the list I obtain on my Vault 1.14.1 freshly deployed instance:

• /auth/token/accessors
• /sys/audit
• /sys/audit/{path}
• /sys/auth/{path}
• /sys/auth/{path}/tune
• /sys/config/auditing/request-headers
• /sys/config/auditing/request-headers/{header}
• /sys/config/cors
• /sys/config/ui/headers/{header}
• /sys/internal/inspect/router/{tag}
• /sys/leases
• /sys/leases/lookup/
• /sys/leases/lookup/{prefix}
• /sys/leases/revoke-force/{prefix}
• /sys/leases/revoke-prefix/{prefix}
• /sys/plugins/catalog/{name}
• /sys/plugins/catalog/{type}
• /sys/plugins/catalog/{type}/{name}
• /sys/remount
• /sys/replication/dr/primary/secondary-token
• /sys/replication/performance/primary/secondary-token
• /sys/replication/primary/secondary-token
• /sys/replication/reindex
• /sys/revoke-force/{prefix}
• /sys/revoke-prefix/{prefix}
• /sys/rotate
• /sys/storage/raft/snapshot-auto/config/
• /sys/storage/raft/snapshot-auto/config/{name}

Useful links

• Hashicorp Vault official API documentation
• Discussion 'Sudo Permissions when creating vault policies'