Issues setting up admin-policy

I’ve setup vault using a postgres backend and tried to setup the admin policy as such Vault Policies | Vault - HashiCorp Learn and I’ve created a few kv2 secret engines.
However, my end use whom I assigned the policies to cannot see any secret engines.

Screenshot 2022-02-21 at 12.30.40 PM

Hey! Before anyone can help you, they need to see your policy first. Can you share your policy so that the mistake can be found?

Just an overall statement. There is “almost” no reason to setup multiple KV engines for 99.9% of situations. Use policies to restrict access rather than setting up multiple engines mounts.

To answer your question, there is no such thing as “admin” in Vault. There is the root token, then there is everything else. Everything else is a “deny” all state. So nothing should be allowed unless there is a policy in effect that allows that access.

If you’re seeing something then one of the policies that is attached to your token allows it. Check the default policy which is auto-assigned to most tokens (unless you tell Vault not to assign it [ -no-default-policy is an option for some commands, ex: vault token create ]).

You can check what policies are attached to a token with vault token lookup <token>. You can check the policy of a token against a path to see what the result would be with: vault token capabilities <token> <path>.

I was using the admin policy. In any case I’ve moved on from that but I’m now trying

path “secret/data/{{}}/*” {
capabilities = [“create”, “update”, “read”, “delete”]

path “secret/metadata/{{}}/*” {
capabilities = [“list”]

But I keep getting this. Honestly the tutorials are broken and frustrating to implement. Does the work?

There is no “KV” engine mounted at “secret”.

You may also need to grant the list capability on secret/metadata/.

Once you get into specific pathing in policies you need to be very verbose, especially if you don’t want users to see directory listings in which they do not have read access to secrets.

Note that Vault currently does not support “access based enumeration” so your users will see, at minimum, all the folders in the root of your KV mount.