KV Secret Engine - API Not working


I’m a newbie. I’m trying to list the KV secrets using API but for some reason it does not work. I’m running this for a non root user.

First I generate the client token using this command,
#curl --request POST --data @data.json

then used these commands to list the secrets.
#curl --header "X-Vault-Token: " --request LIST
#curl --header "X-Vault-Token: " --request LIST

But I either get “Permission denied” or “Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use ‘vault kv list’ for this operation.”

Please advice.


I’m running Vault v1.4.0.


is not working? Dunno if it’s secret or secrets in your setup.

This actually worked.

curl -s --header "X-Vault-Token: " --request LIST | jq ‘.data’ { “keys”: [ “vault”


But when I try to access the “vault” key, I get this error.

curl -s --header "X-Vault-Token: " --request LIST | jq { “errors”:


So what am I doing wrong here?

Instead of metadata there must be data if you want to read the key. And it’s an POST, not LIST.

curl -s --header "X-Vault-Token: " --request POST

If you are more familiar with the cli, you can let it generete the curl command for you, using the -output-curl-string parameter.

cURL Command Output: CLI commands can now use the -output-curl-string flag to print out

It didn’t work.
curl -s --header "X-Vault-Token: " --request LIST | jq ‘.data.keys’

curl -s --header "X-Vault-Token: " --request POST | jq

“errors”: [
“1 error occurred:\n\t* permission denied\n\n”

Has your token the policy attached that allows to read the key?

This is the policy that is attached to the user.

path “secrets/vault” {
capabilities = [“read”,“update”]

path “secrets/*” {
capabilities = [“list”]

For a versioned k/v it should be

path “secrets/data/vault” {
capabilities = [“read”,“update”]

The data is missing in your path. Then it should work. :slight_smile:

Thanks!! It’s working :slight_smile: