Is policy limited for engine level only or all path & sub-path?

Hello dears,

I know that policies should be straight forward deal, not really sure what’s happening in my case.

I’m trying to apply a policy for a specific user, where I want to give read, list , update permission on a specific path.

my policy is:

path "kv/Non-Prod/*"
{
  capabilities = ["list","create","update","delete","read"]
}

The user can’t see anything under kv engine, so i tried the following:

path "kv/*"
{
  capabilities = ["list"]
}

path "kv/Non-Prod/*"
{
  capabilities = ["list","create","update","delete","read"]
}

The user now can see all secrets under kv however, can’t edit/update any secret under kv/Non-Prod/*

We are using Open Source with a Vault version : [1.7.3]
KV Version 2

Appreciate your support.
Regards,

First: Please fix the formatting of your post - some of the * characters have been interpreted as italic formatting, making it really quite hard to read. Use a line consisting just of three backticks (```) to mark the start and end of code blocks.

You don’t say whether your secret engine mounted at KV is configured to be version 1 or version 2. But my guess based on the symptoms is that it’s version 2.

Version 2 KV uses somewhat complicated URLs, which need to be accounted for in your policy paths. Read about it here: https://www.vaultproject.io/docs/secrets/kv/kv-v2

Dear @maxb ,

Thanks for your reply, as per the document, we need to prefix the path with /data/ to read or write, and i’ve applied the same and it stopped listing the secrets.

Policies updated as below:

path "secret/data/kv/Non-Prod/*"
{
  capabilities = ["create", "update", "read"]
}

Any advice?
Regards,

Well, yes, you didn’t add any policy to allow list.

From the previously linked document:

To allow a policy to list keys:

path “secret/metadata/dev/team-1/*” {
capabilities = [“list”]
}

HI @maxb ,

If i added the list in the below format, it won’t show KV engine.

path "secret/metadata/kv/Non-Prod/*"
{
  capabilities = ["list"]
}
path "secret/data/kv/Non-Prod/*"
{
  capabilities = ["create", "update", "read"]
}


and i’ll get

# Not Authorized
Ember Data Request GET /v1/sys/internal/ui/mounts/kv returned a 403 Payload (application/json) [object Object]

preflight capability check returned 403, please ensure client's policies grant access to path "kv/"

In old format, it will list the folders and i’ll get the below error if i enter “Non-Prod” folder

You don't have access to `kv/` . If you think you've reached this page in error, please contact your administrator.

old format

path "kv/*"
{
  capabilities = ["list"]
}
path "secret/data/kv/Non-Prod/*"
{
  capabilities = ["create", "update", "read"]
}

Regards

In the document’s examples, secret/ is the location of the KV. Yours seems to be at kv/ so you should make that substitution when using an example from the document.