Permission denied after enable-versioning

laurentiuspurba · February 11, 2021, 6:24pm

Hello,

I did enable versioning with this command and got permission denied error message.
$> vault kv enable-versioning secret

So, I tried the same command with VAULT_TOKEN, using root token and it worked.
$> VAULT_TOKEN=‘s.BOGUSBOGUSBOGUS’ vault kv enable-versioning secret
Success! Tuned the secrets engine at: secret/

But now, I am not able to access secret/ path, unless I pass VAULT_TOKEN in the command line.
$> vault kv get secret/test-test/test
Error reading secret/data/test-test/test: Error making API request.URL: GET https://MYVAULT-DOMAIN.com/v1/secret/data/test-test/test
Code: 403. Errors:* 1 error occurred:

permission denied

How can I resolve this issue? Can I reset it to not using root token?

Thanks!
Laurentius

laurentiuspurba · February 12, 2021, 1:23am

Hello @Wolfsrudel

Did I do something wrong on my posting? Whose message that will be deleted in 24 hours unless flagged? Is it yours or mine?

Thank you,
Laurentius

laurentiuspurba · February 12, 2021, 1:36am

I forgot to mention. The following command worked fine prior enabling versioning

$> vault kv get secret/test-test/test

Wolfsrudel · February 12, 2021, 8:42am

It’s mine. My post was nonsense.

laurentiuspurba · February 12, 2021, 7:21pm

Anyone can give me pointers where to look to? I’ve searched on community discussion, issues on github, but still couldn’t find solution for this.

Everything worked fine, I could kv get secret/test-test/test before VAULT_TOKEN=‘s.ROOT-TOKEN’ vault kv enable-versioning secret.

Appreciate your help.

Thank you,
Laurentius

laurentiuspurba · February 12, 2021, 8:17pm

Never mind, I found it on kv2 documentation.

Since I enabled it on kv1 using this documentation, kv enable-versioning - Command | Vault by HashiCorp, I did not see that kv2 documentation, KV - Secrets Engines | Vault by HashiCorp, mentioned about data/.

jhmartinez · March 8, 2022, 8:33am

I had the same issue.
In my case, I added “vault kv enable-versioning kv”.
When I tried to read from the Vault Agent, the permission was denied.
I started the Vault Agent in trace mode, and I saw a new path.

ORIGINAL-PATH-IN-POLICY: kv/MYPATH
NEW-PATH: kv/data/MYPATH

In this case, you need to update your policy with similar values of your “kv/MYPATH”, example:

path "kv/MYPATH" {
  capabilities = [ "create", "read", "update", "delete", "list" , "patch", "sudo"]
  policy = "write"
}

path "kv/data/MYPATH" {
  capabilities = [ "create", "read", "update", "delete", "list" , "patch", "sudo"]
  policy = "write"
}

Now, when the Vault Agent requested it, the result is 200 instead of 403.