Hello,
I would like to have access to only one secret “master1.1” contained in the path “master1”.
Here is my policy that I used when I generated the token for the user
when I connect to the vault I see “master 1”, but I am not authorized to access “master 1.1”.
Do I need access to both “master 1.1” and “master 1.2” or is my policy not correct?
In the policy, remove the last “/*” from the path and try again. Your secret is a file and the last entry in the path. With your policy vault is searching for a “directory” and everything in it.
I tried to what you said but it doesn’t work 
But when I put a “*” instead of “master1.1”, I can access the secrets.
Maybe the vault won’t allow me to have access to a secret if I don’t have rights for others secrets inside a path ?
Not really. I’m going to re-enact that today.
Can you meanwhile try your original policy, without the “/*” and an additional entry with path master1/, capabilities list?
Before that try to get the master1.1 using the cli (and my first suggestion). If that works it’s the “ui needs list”-thing.
This should work now:
path "master1/*" {
capabilities = ["list"]
}
path "master1/data/master1.1" {
capabilities = ["create", "read", "update", "delete", "list"]
}
My setup
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ export VAULT_ADDR=http://127.0.0.1:8200
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ export VAULT_TOKEN=s.wENK4hK2MifoaBYaNJuk37P8
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault operator unseal rkSjOr5q0v4MxxadY8JmU/F2cVr+6EqUFseJ+gUTIb8=
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.3.0
Cluster Name vault-cluster-697ac1ca
Cluster ID bb818481-70f0-eedc-a436-c36546336841
HA Enabled false
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault secrets enable -version=2 -path=master1 kv
Success! Enabled the kv secrets engine at: master1/
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault secrets list -detailed
Path Plugin Accessor Default TTL Max TTL Force No Cache Replication Seal Wrap External Entropy Access Options Description
UUID
---- ------ -------- ----------- ------- -------------- ----------- --------- ----------------------- ------- -----------
----
cubbyhole/ cubbyhole cubbyhole_b8e1d331 n/a n/a false local false false map[] per-token private secret storage
14664a01-f9d6-632d-6250-a8faeac769a8
identity/ identity identity_12fd7d77 system system false replicated false false map[] identity store
d3e42ecc-15f7-8a40-6616-294e3262225f
master1/ kv kv_70a6d540 system system false replicated false false map[version:2] n/a
aa9b1397-910d-a62b-4f66-6f02f8c84990
secret/ kv kv_1cf81677 system system false replicated false false map[version:2] key/value secret storage
fed3550d-8631-4a43-821b-6b24db38db5c
sys/ system system_d444f17f n/a n/a false replicated false false map[] system endpoints used for contro
l, policy and debugging 6f90ab78-4afd-8874-e107-7ba63210f3e2
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ cat policy.hcl
path "master1/*" {
capabilities = ["list"]
}
path "master1/data/master1.1" {
capabilities = ["create", "read", "update", "delete", "list"]
}
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault policy write policy policy.hcl
Success! Uploaded policy: policy
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault policy list 1 ↵
default
policy
root
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault token create -policy="policy"
Key Value
--- -----
token s.OK9vBfl42r31hr6mXrfatc0F
token_accessor Oa9mk1baiZLfqqzKENxjJB84
token_duration 768h
token_renewable true
token_policies ["default" "policy"]
identity_policies []
policies ["default" "policy"]
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ vault kv put master1/master1.1 password=secret
Key Value
--- -----
created_time 2020-03-20T14:23:49.49000041Z
deletion_time n/a
destroyed false
version 1
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ VAULT_TOKEN=s.OK9vBfl42r31hr6mXrfatc0F vault kv get master1/master1.1 2 ↵
====== Metadata ======
Key Value
--- -----
created_time 2020-03-20T14:23:49.49000041Z
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password secret
In the ui:
Thank you for your help it works now !
The “/data” made the difference 
Yeah, i missed it by myself until i tried. 
