API: how to check if token is allowed to write

With the HTTP API (or its Go wrapper) and the kvv2 backend, how can I check that my token allows me to write a given secret (without modifying secret data)?

It seems that POST /v1/sys/capabilities-self allows me to get a list of capabilities for a given path.
Is it the right way?
How can I use this route from the Go API?

I have this code that seems to work, but very verbose:

	canUpdate := false
	// Check if token allows to modify the secret
	if capReply, err := vault.Write("sys/capabilities-self",
		map[string]interface{}{
			"paths": []string{
				vaultPath,
			},
		}); err != nil {
		return fmt.Errorf("check Vault write access: %w", err)
	} else {
		// fmt.Printf("%#v\n", capReply.Data)
		capabilities := capReply.Data[vaultPath].([]interface{})
		// fmt.Println(capabilities)
		for _, cap := range capabilities {
			if cap == "update" {
				canUpdate = true
				break
			}
		}
	}

Yes you are right. I would suggest to use the following request (format in cURL):

curl 
-X POST 
-H "X-Vault-Request: true" 
-H "X-Vault-Token: {YOUR_TOKEN}" 
-d '{"path":"{PATH_TO_SECRET}","token":"{TOKEN_TO_CHECK}"}' 
https://vault-url/v1/sys/capabilities

When it comes to Go code, you can use the following functions:

capabilities, err = client.Sys().CapabilitiesSelf(path)

OR

capabilities, err = client.Sys().Capabilities(token, path)
1 Like

Oh, great! This is much cleaner.

Thank you.

There aren’t constants for capabilities names in the package?