Permission denied using userauth with specific policy

Can’t put/get a kv secret on secret/ path, even the policy allowing it.

Created the policy file department1.hcl:

path "secret/department1/*" {
  capabilities = ["create", "read", "update", "list"]

Imported the policy:

vault policy write department1 department1.hcl

Enabled userpass auth method:

vault auth enable userpass

Created a user john attached to the policy:

vault write auth/userpass/users/john password=123456 policies=department1

Login as John:

vault login -method=userpass username=john

Tried to add a secret to the path secret/department1/db/mysql/server1 (this fails as john, but works as root)

vault kv put secret/department1/db/mysql/server1 login=guest password=123 server= port=3306

I am guessing is something wrong, maybe on the policy, some base principle I am missing, but could not find the answer on the docs.

Any ideas?

Looks like you’re using KVv2. Try changing the path to "secret/data/department1/*". There are several other permissions you might want to investigate - see the KVv2 docs and API guide for more details around the applicable paths.

1 Like