I have a vault secrets created in these paths:
kv/devops/kubernetes/myservice/mysecret
kv/devops/kubernetes/myservice/tokens/mytoken1
I have a policy that specifies
path "kv/devops/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
I am not able to access my secrets in those paths specified. In my policy, I’ve tried a variation of kv/devops*, kv/devops/kubernetes/*
The only policy path that works for me is kv/* where I am able to list and read my secrets, but that is too broad for my usecase.
I am misunderstanding something about secrets paths and would appreciate an explanation and proper configuration for my use case
Thanks
path "kv/data/devops/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
If it’s a versioned kv secrets engine, this should work.
1 Like
I gave that a try, but didnt work.
I’m using the web UI, and when trying to access the kv secret storage, it returns You don't have access to kv/. If you think you've reached this page in error, please contact your administrator.
Forgot to mention, I am on v1.4.2
For the ui you will need list on metadata
path "kv/metadata/devops/*" {
capabilities = ["list"]
}
1 Like
This is my policy now:
path "kv/data/devops/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "kv/metadata/devops/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
I just tested using the CLI as well, and I get permission denied from both. When I login via cli, the attached policies are what i expected policies ["default" "h2_devops"]
h2_devops being the policy I am using
but doing
$ vault kv list kv
Error listing kv/metadata: Error making API request.
URL: GET https://<removed>/v1/kv/metadata?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied
If I use a root token, it works as expected
Interestingly removing devops from the path works, but that is too broad for our usecase.
path "kv/data/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "kv/metadata/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
I have encountered the same problem and don’t have any idea how to solve it. Do somebody know ?
@Wolfsrudel could help with it please ?
It would be a lot more granular but you could try something like this:
# List the contents of the KV mount
path "kv/metadata/" {
capabilities = ["read", "list"]
}
# List the contents of the devops folder
path "kv/metadata/devops/" {
capabilities = ["read", "list"]
}
# Read, write, delete secret metadata (allows deletion of secret itself)
path "kv/metadata/devops/*" {
capabilities = ["read", "update", "delete", "list"]
}
# Read, write, delete secret content
path "kv/data/devops/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Delete secret version
path "kv/delete/devops/*" {
capabilities = ["update"]
}
# Restore deleted secret version
path "kv/undelete/devops/*" {
capabilities = ["update"]
}
# Permanently delete secret version (cannot be undeleted)
path "kv/destroy/devops/*" {
capabilities = ["update"]
}
I don’t believe the sudo capability is used/needed at all within the KV data so it can safely be omitted.