ACL Policy - permission denied

mack3nny · October 25, 2021, 6:29am

Hi Community,

Beginner here following the Hashicorp tutorials.

I have created a policy

path "password_store-kv/db1_pass" {
  capabilities = ["create"]
  allowed_parameters = {
    "bar" = ["zip", "zap"]
  }
}

/vault policy write pass test.hcl
Success! Uploaded policy: pass

The backend is already enabled using admin token. I then create a token for the policy

./vault token create -policy=pass

./vault login <token of the Policy>

But

./vault kv put password_store-kv/foo bar=zip
Error writing data to password_store-kv/foo: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/password_store-kv/foo
Code: 403. Errors:

* 1 error occurred:
	* permission denied

As per the policy, password_store-kv/foo should accept parameter bar with vaules “zip” and “zap” right?

Thanks and Regards,

M

mack3nny · October 25, 2021, 6:31am

Sorry about the typo, path was password_store-kv/db1_pass, Still does not work though.

./vault kv put password_store-kv/db1_pass bar=zip
Error writing data to password_store-kv/db1_pass: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/password_store-kv/db1_pass
Code: 403. Errors:

* 1 error occurred:
	* permission denied

aram · October 25, 2021, 7:21am

Can you post your vault secrets list -detailed output?

Assuming you went with the default kv (version 2), you’re missing “/data/” from your policy.

KV v2 paths include a “/data/” in the system path that do not appear when using it as a client.

path "password_store-kv/data/db1_pass" {
  capabilities = ["create"]
  allowed_parameters = {
    "bar" = ["zip", "zap"]
  }
}

OliverW87 · November 9, 2021, 2:30pm

Got the same issue here.

vault secrets list -detailed:
Path           Plugin       Accessor              Default TTL    Max TTL    Force No Cache    Replication    Seal Wrap    External Entropy Access    Options           Description                                                UUID
----           ------       --------              -----------    -------    --------------    -----------    ---------    -----------------------    -------           -----------                                                ----
do-it/    kv           kv_82386dad           system         system     false             replicated     false        false                      map[version:2]    n/a                                                        439e6e65-f29a-3a90-5b62-d18449c31943

Policy:

path "do-it/data/foo" {
  capabilities = ["create"]
   allowed_parameters = {
    "bar" = ["zip", "zap"]
  }
}

vault kv put do-it/foo bar=zip

Error writing data to do-it/data/foo: Error making API request.

URL: PUT https://vault.doit.local/v1/do-it/data/foo
Code: 403. Errors:

* 1 error occurred:
	* permission denied

Topic		Replies	Views
Hashicorp Vault - Permission denied in API While Succcess In CLI Vault	1	584	September 16, 2022
Getting permission denied when using a token generated in Hashicorp vault Vault	7	9137	March 21, 2022
Having problem with ACL Policies Vault	4	307	March 18, 2020
Vault policy not working for API Vault	4	213	May 8, 2023
Permission denied using userauth with specific policy Vault	1	450	March 9, 2022

ACL Policy - permission denied

Related topics