Create a policy to list & read (on the UI) specific secrets

royt-via · April 7, 2020, 9:18pm

Using Vault v2.
Trying to create ACL policy to allow read-only to specific secrets.
By doing this -

path "kv/data/specific_secret" {
  capabilities=["read", "list"]
}

I was able to curl it but not see it on the UI.
By doing this -

path "kv/metadata" {
  capabilities=["list"]
}
path "kv/data/specific_secret" {
  capabilities=["read", "list"]
}

I was able to see ALL secrets on the UI but read only the specific_secret one.
I was wondering if there’s a way to specify the secret I want to show.
I tried doing kv/metadata/specific_secret but that didn’t work…
Thanks!

Wolfsrudel · April 7, 2020, 9:48pm

Have you already tried the following?

path "kv/metadata/specific_secret" {
  capabilities=["list"]
}
path "kv/data/specific_secret" {
  capabilities=["read", "list"]
}

royt-via · April 7, 2020, 9:59pm

@Wolfsrudel
yes… unfortunately, didn’t work

royt-via · April 9, 2020, 4:47pm

apparently, it’s an 18 months old known issues.
still no fix.
link to issue - https://github.com/hashicorp/vault/issues/5362

Topic		Replies	Views
[Resolved] Vault Acl policy [newbie] Vault	2	110	April 3, 2024
Understanding Vault policies behavior Vault	2	358	November 16, 2019
KV v2 list policy to hide all subpaths except for one Vault vault	4	1798	November 27, 2020
Vault policy write only + read parameters too Vault	5	2108	November 28, 2021
Not understanding Vault policies for secret paths Vault	8	2762	June 7, 2021

Create a policy to list & read (on the UI) specific secrets

Related topics