ACL plus notation does not work in path

igor-nikiforov · June 7, 2022, 9:21am

Hello,

I have kv v1 with foo/ path and want to create policy for deny specific secrets inside foo/+/, in my case foo/+/bitbucket*.

But for some reason this policy below does not work. I’m still able to read any secrets in foo/+/bitbucket* with bitbucket* prefix.

path "foo/+" {
  capabilities = ["list"]
}

path "foo/bar/*" {
  capabilities = ["list", "read", "create", "update", "patch", "delete"]
}

path "foo/+/bitbucket*" {
  capabilities = ["deny"]
}

It working only when I explicitly specificy full path like this:

path "foo/bar/bitbucket*" {
  capabilities = ["deny"]
}

Why + does not work in my case?

Thanks.

maxb · June 7, 2022, 9:47am

Needs to be changed to:

path "foo/+/" {
  capabilities = ["list"]
}

The handling of trailing slashes with list operations and + wildcards is inconsistent with the same if + wildcards are not used, unfortunately.

igor-nikiforov · June 7, 2022, 10:12am

Sorry but this does not allow to list any path under foo/. Moreover it does not solve issue with:

path "foo/bar/bitbucket*" {
  capabilities = ["deny"]
}

igor-nikiforov · June 7, 2022, 10:28am

Seems like this kind of ACL just don’t work with kv v1. I checked same patterns with kv v2 and it works perfectly.

Topic		Replies	Views
[Resolved] Vault Acl policy [newbie] Vault	2	111	April 3, 2024
Confusing plus and asterisk operators in vault policies for kv2 Vault vault	5	2106	September 7, 2020
Having problem with ACL Policies Vault	4	307	March 18, 2020
Vault policy not working with (+ and *) in the one path Vault	2	1095	July 22, 2019
ACL Policy - permission denied Vault	3	1276	November 9, 2021

ACL plus notation does not work in path

Related topics