Acess does not work

Describe the bug
Access can not work fine , neither KV1 or KV2 style

To Reproduce
Steps to reproduce the behavior:

  1. create user & password in Access, attach police “acl_bijinming"
  2. Create the policy “bijinming” as the following shows
  3. create kv2 secret in test/test path


  1. login with new user


Expected behavior
secret in path ‘test/test’ could be see, and other secret can not be see.


  • Vault Server Version: vault:1.9.0

Vault server configuration file(s):

disable_mlock = true ui = true listener “tcp” { tls_disable = 1 address = “[::]:8200” cluster_address = “[::]:8201” } storage “file” { path = “/vault/data” }

Additional context
when I remove the data and set the access path as “test/test/*”, it does not work fine either!

You have mismatching paths. Where is your kv actually mounted? In one it’s test and in one it’s secrets.

Instead of posting screenshots use the CLI to be more clear

Also, you’re missing the test/metadata/* path with list and, optionally, read capabilities. This is needed for listing folder contents.

Also, Vault does not support Access-Based-Enumeration - meaning if you have access to list contents of a folder you can see the existence of all items in that folder (but unless explicitly granted the right to read, will not be able to read the content). However, if you only have access to view the contents of a secret (and not access to list the folder) you will not be able to enumerate the contents of the folder but rather you would need to know and provide the full path to see the contents.

Policies can be a bit tricky at first, but continue to experiment to get a better understanding of how they work. KVv2 policies add an additional layer to standard ACLs and you’ll need to account for the additional paths utilized in this engine type.

1, login with root token , create a kv in path /test/hello

2, get the secret in path /test/hello

3, create a user name " mitchellh" acess “acl_bijinming”

4 list the access “acl_bijinming”

5, login with mitchellh

6, get secret from /test/hello

Thanks , I have added “test/metadata/" in Policies, it works fine now, so the "test/metadata/” and “test/data/*” must be A couple in Policies.