$ export VAULT_TOKEN=s.YuMTkrFzVtr6A5by5jLwJIYS
$ vault kv get auth/token/lookup-self
Error making API request.
URL: GET http://localhost:8200/v1/sys/internal/ui/mounts/auth/token/lookup-self
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "auth/token/lookup-self/"
auth/token/lookup-self is an unusual endpoint which performs the same operation on read or update.
read is the normal way to use it. I assume update exists for some obscure compatibility reason - or maybe no reason at all.
Adding the update capability in a policy is not needed for the operations in this topic.
Here I am running the command that started this topic (even though it’s technically incorrect, since it’s using KV tooling to talk to a non-KV) and it works, with nothing more than the built-in default default policy:
$ vault kv get auth/token/lookup-self
========== Data ==========
Key Value
--- -----
accessor WJol77jSzTCGICZa1zDdAEAT
creation_time 1671559389
creation_ttl 768h
display_name userpass-basic
entity_id 782db8a9-759c-1ff4-6c98-4cd1d96863ad
expire_time 2023-01-21T18:03:09.20504172Z
explicit_max_ttl 0s
id hvs.xxxxxx
issue_time 2022-12-20T18:03:09.205058554Z
meta map[username:basic]
num_uses 0
orphan true
path auth/userpass/login/basic
policies [default]
renewable true
ttl 767h59m55s
type service
As to why it didn’t work in 2021? No idea, perhaps a bug has been fixed in the intervening time, or perhaps something unknown went wrong in the testing.
sys/internal/ui/mounts/ is a special API that does not require conventional policy to call. Instead it enforces its own permission checking internally, and will only return data for mounts you have some access to.
It is used by vault kv ... to probe whether the path is a KV v2, or not.