Hi team,
Currently I am using vault for sharing password to client. We are using kv secret engine.
We are creating separate folder for each client under /secret folder and storing password there
path
/secret/xxxxxx/account_details
/secret/yyyyyy/account_details
/secret/zzzzzz/account_details
Now I want when client login using their token they should see only their folder under /secret folder instead of all folder present inside /secret
currently we have used below policy:
path “secret/xxxxxx/*” {
capabilities = [“read”, “list”]
}
Remove the secret/* and ask them to use the CLI rather the browser. That’ll restrict them to only seeing their own secrets. You can also give them a specific URL for their secrets, to be able to walk the secret folders they need to see the full list.
You could change “secret/*” to “secret/” in your example.
This will allow listing of the folders in the root of your KV mount but not traversal into other folders. (i.e. you’d be able to see secret/xxxxxx, secret/yyyyyy, and secret/zzzzzz but would only be able to list and view contents for items in secret/xxxxxx)
There is no way to only allow listing of folders you have further access into, to my knowledge.