Cannot list despite list permission in policy

lethargosapatheia · October 23, 2022, 9:05pm

Hello,

I was wondering why I cannot use list to see the items under secret/myorg.
I’m using version 2 of the kv secret engine on the path secret/.

This is what the policy looks like:

root@vault-0:~# vault policy read myorg-standard
# glob - prefix match
path "secret/data/myorg/*" {
	capabilities = [ "read", "create", "list" ]
}

path "secret/data/myorg/admin-secret" {
	capabilities = [ "deny" ]
}

I can confirm that this is the policy I’m using, as vault lookup token displays it:

path                auth/upass/login/orgops
policies            [default myorg-standard]

So when I try either:

vault kv list secret/myorg

I get permission denied:

Error listing secret/metadata/myorg: Error making API request.

URL: GET https://127.0.0.1:8200/v1/secret/metadata/myorg?list=true
Code: 403. Errors:

* 1 error occurred:
	* permission denied

Now it’s just occurred to me that maybe with those permissions I’m able to list only what is under any folder under myorg, so I cannot list the folders themselves.
But neither this

path "secret/data/myorg/" {
	capabilities = [ "list" ]
}

nor this

path "secret/data/" {
	capabilities = [ "list" ]
}

has worked.

Any ideas are welcome!

maxb · October 24, 2022, 7:42am

Please consult the API docs for the KVv2 secrets engine. You’ll find that the list operation is not implemented via the /data/ path, but via /metadata/

lethargosapatheia · October 24, 2022, 8:52am

Thanks.
(For the others out there) I’ve changed the policy to:

path "secret/data/myorg/*" {
        capabilities = [ "read", "create" ]
}

path "secret/metadata/myorg/*" {
        capabilities = [ "list" ]
}

path "secret/data/myorg/admin-secret" {
        capabilities = [ "deny" ]
}

I’ve logged in again with the user and now list works:

root@vault-1:~# vault login -method=userpass -path=upass username=orgops password=crap
root@vault-1:~# vault kv list secret/myorg
Keys
----
opsorgcrap