How to restrict user1 to see user2 folder under secret engine kv

Hi team,
Currently I am using vault for sharing password to client. We are using kv secret engine.
We are creating separate folder for each client under /secret folder and storing password there

Now I want when client login using their token they should see only their folder under /secret folder instead of all folder present inside /secret

currently we have used below policy:
path “secret/xxxxxx/*” {
capabilities = [“read”, “list”]

path “secret/*” {
capabilities = [“list”]

Remove the secret/* and ask them to use the CLI rather the browser. That’ll restrict them to only seeing their own secrets. You can also give them a specific URL for their secrets, to be able to walk the secret folders they need to see the full list.

Thank you for response .

Is there any way to show the folder as well inside /secret belong to respective client after removing secret/*

You could change “secret/*” to “secret/” in your example.
This will allow listing of the folders in the root of your KV mount but not traversal into other folders. (i.e. you’d be able to see secret/xxxxxx, secret/yyyyyy, and secret/zzzzzz but would only be able to list and view contents for items in secret/xxxxxx)

There is no way to only allow listing of folders you have further access into, to my knowledge.

Edit: corrected path (missed trailing /)

1 Like