KV Secret Engine - API Not working

Vault
1

Hello,

I’m a newbie. I’m trying to list the KV secrets using API but for some reason it does not work. I’m running this for a non root user.

First I generate the client token using this command,
#curl --request POST --data @data.json http://127.0.0.1:8200/v1/auth/userpass/login/testuser

then used these commands to list the secrets.
#curl --header "X-Vault-Token: " --request LIST http://127.0.0.1:8200/v1/secret/metadata/secrets
#curl --header "X-Vault-Token: " --request LIST http://192.168.0.5:8200/v1/secrets

But I either get “Permission denied” or “Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use ‘vault kv list’ for this operation.”

Please advice.

Thanks

2

I’m running Vault v1.4.0.

3 
http://<your-ip>:8200/v1/secrets/metadata
http://<your-ip>:8200/v1/secret/metadata

is not working? Dunno if it’s secret or secrets in your setup.

4

This actually worked.

curl -s --header "X-Vault-Token: " --request LIST http://127.0.0.1:8200/v1/secrets/metadata | jq ‘.data’ { “keys”: [ “vault”

]
}

But when I try to access the “vault” key, I get this error.

curl -s --header "X-Vault-Token: " --request LIST http://127.0.0.1:8200/v1/secrets/metadata/vault | jq { “errors”:

}

So what am I doing wrong here?

5

Instead of metadata there must be data if you want to read the key. And it’s an POST, not LIST.

curl -s --header "X-Vault-Token: " --request POST http://127.0.0.1:8200/v1/secrets/data/vault
6

If you are more familiar with the cli, you can let it generete the curl command for you, using the -output-curl-string parameter.

cURL Command Output: CLI commands can now use the -output-curl-string flag to print out

7

It didn’t work.
curl -s --header "X-Vault-Token: " --request LIST http://127.0.0.1:8200/v1/secrets/metadata/ | jq ‘.data.keys’
[
“test”,
“vault”
]

curl -s --header "X-Vault-Token: " --request POST http://127.0.0.1:8200/v1/secrets/data/vault | jq

{
“errors”: [
“1 error occurred:\n\t* permission denied\n\n”
]
}

8

Has your token the policy attached that allows to read the key?

9

This is the policy that is attached to the user.

path “secrets/vault” {
capabilities = [“read”,“update”]
}

path “secrets/*” {
capabilities = [“list”]
}

10

For a versioned k/v it should be

path “secrets/data/vault” {
capabilities = [“read”,“update”]
}

The data is missing in your path. Then it should work. :slight_smile:

11

Thanks!! It’s working :slight_smile: