Capability to enable secret engine

Which path and capability needed to enable secret engine?

  • Expectation is:
    For example,
path "/mysecret/*" {
    ["create", "read", "update", "delete", "list", "sudo"]
}

If I have this policy, then I can enable any secret engine on /mysecret/* path.

But now permission denied.

The API used to create mount points is sys/mounts/:path:

You will need to give create access to sys/mounts/mysecret/* in order to enable mount points under mysecret. The documentation does not indicate that “sudo” is necessary (as it is to add an auth method.)

3 Likes

Thank you @mgritter
It works perfectly.