Permission denied after enable-versioning


I did enable versioning with this command and got permission denied error message.
$> vault kv enable-versioning secret

So, I tried the same command with VAULT_TOKEN, using root token and it worked.
$> VAULT_TOKEN=‘s.BOGUSBOGUSBOGUS’ vault kv enable-versioning secret
Success! Tuned the secrets engine at: secret/

But now, I am not able to access secret/ path, unless I pass VAULT_TOKEN in the command line.
$> vault kv get secret/test-test/test
Error reading secret/data/test-test/test: Error making API request.URL: GET
Code: 403. Errors:* 1 error occurred:

  • permission denied

How can I resolve this issue? Can I reset it to not using root token?


Hello @Wolfsrudel

Did I do something wrong on my posting? Whose message that will be deleted in 24 hours unless flagged? Is it yours or mine?

Thank you,

I forgot to mention. The following command worked fine prior enabling versioning

$> vault kv get secret/test-test/test

It’s mine. My post was nonsense. :blush:

Anyone can give me pointers where to look to? I’ve searched on community discussion, issues on github, but still couldn’t find solution for this.

Everything worked fine, I could kv get secret/test-test/test before VAULT_TOKEN=‘s.ROOT-TOKEN’ vault kv enable-versioning secret.

Appreciate your help.

Thank you,

Never mind, I found it on kv2 documentation.

Since I enabled it on kv1 using this documentation, kv enable-versioning - Command | Vault by HashiCorp, I did not see that kv2 documentation, KV - Secrets Engines | Vault by HashiCorp, mentioned about data/.

I had the same issue.
In my case, I added “vault kv enable-versioning kv”.
When I tried to read from the Vault Agent, the permission was denied.
I started the Vault Agent in trace mode, and I saw a new path.


In this case, you need to update your policy with similar values of your “kv/MYPATH”, example:

path "kv/MYPATH" {
  capabilities = [ "create", "read", "update", "delete", "list" , "patch", "sudo"]
  policy = "write"

path "kv/data/MYPATH" {
  capabilities = [ "create", "read", "update", "delete", "list" , "patch", "sudo"]
  policy = "write"

Now, when the Vault Agent requested it, the result is 200 instead of 403.