List metadata only for one dir in UI

Hello :wave:

I create KV2 for devops team. DevOps department have sub teams per projects.

Now i want manage access for list projects in UI.
If i have access to project(n) i expect to see only this project listed in devops KV via UI. But i see all projects,can i write metadata policy only for one project in UI?

path "devops/data/project/*" {
  capabilities = ["create", "update", "read", "delete", "sudo"]
}
path "devops/metadata/project/*" {
  capabilities = ["list"]
}
path "devops/metadata" {
  capabilities = ["list"]
}

I think there is a catch to this, but if you drop the “UI” requirement (or with a work around), you can get the result you’re looking for. For browser access you do need to be able to traverse the path to get to your secret and if one of the paths is missing from your policy then the UI breaks.

The work around is that they would have to auth first, then manipulate the path in the browser manually to get to their secret without hitting the above projects first. You couldn’t step through the project level.

  1. the metadata has to be at the same path with similar access.
  2. you shouldn’t be using ‘sudo’, in this case.

Otherwise, this policy gives them access to the subproject, and not the project level.

path "secret/data/project/subproject/*" {
  capabilities = ["create", "update", "read", "delete", "list"]
}
path "secret/metadata/project/subproject/*" {
  capabilities = ["list"]
}

Off topic note … I hope you’re just doing an example, otherwise please stop re-mounting the whole engine for each team. secret is secret, you only need one engine mounted, everything else is just a path underneath it. secret/data/{devops}/project/…

Thank you! Access via full path in browser link work good :+1:

Off topic note:
It’s bad practice to re-mounting secret engine as another method of abstraction? :grimacing:

I began to use this bad approach with re-mounting only because I did not quite understand how to give access with a working UI… :see_no_evil: