Invalid path for a versioned K/V secrets engine while calling using API & Vault Agent

Following below steps:

vault secrets enable -path=“secret” kv
vault kv put secret/myapp/config ttl=‘30s’ username=‘appuser’ password=‘suP3rsec(et!’

echo “path "secret/myapp/*" {
capabilities = ["read", "list"]
}” | vault policy write myapp -

vault auth enable aws
vault write -force auth/aws/config/client

vault write auth/aws/role/sk1.ghosh.cli auth_type=iam bound_iam_principal_arn=“arn:aws:iam:::user/sk1.ghosh.cli” policies=myapp ttl=24h

My CLI returns secret values, but failing when trying to execute using CLI with Vault Agent

vault write auth/aws/role/sk1.ghosh.cli auth_type=iam bound_iam_principal_arn=“arn:aws:iam::837566505083:user/sk1.ghosh.cli” policies=myapp ttl=24h

vault agent -config=./vault-agent.hcl

curl --header “X-Vault-Token: $(cat ./vault-token-via-agent)” $VAULT_ADDR/v1/secret/myapp/config | jq -r “.data”


exit_after_auth = true
pid_file = “./pidfile”

auto_auth {
method “aws” {
mount_path = “auth/aws”
config = {
type = “iam”
role = “sk1.ghosh.cli”

sink “file” {
config = {
path = “/root/vault-token-via-agent”

vault {
address = “

ok. 1 more thing

  1. vault read secret/myapp/config
  2. vault kv get secret/myapp/config

1 will throw error : Invalid path for a versioned K/V secrets engine.

  1. will show you result

Are you quite sure about this command?

Because this creates a KVv1 which is unversioned, whilst all the rest of your post indicates secret/ is a KVv2 (versioned). Perhaps you actually included -version=2 at the time?

The KVv2 (versioned) has a more complex API than KVv1.

The purpose of the vault kv ... series of commands - rather than plain vault <read|write|list|delete> ... - is to work with that more complex API.

If you use the API directly, not the CLI, to work with a KVv2, you need to understand and use that API yourself. KV - Secrets Engines - HTTP API | Vault by HashiCorp

I have reinstalled & reconfigured vault. (Note : Vault is running Dev : vault server -dev)

vault secrets enable -version=2 kv
vault kv put kv/test/ec2 api-key=“ABCDEFG9876”

vault kv get kv/test/ec2. - Gives result
vault read kv/test/ec2 : Error → Invalid path for a versioned K/V secrets engine.