Permission denied using userauth with specific policy

jackandrews7 · March 9, 2022, 7:54pm

Can’t put/get a kv secret on secret/ path, even the policy allowing it.

Created the policy file department1.hcl:

path "secret/department1/*" {
  capabilities = ["create", "read", "update", "list"]
}

Imported the policy:

vault policy write department1 department1.hcl

Enabled userpass auth method:

vault auth enable userpass

Created a user john attached to the policy:

vault write auth/userpass/users/john password=123456 policies=department1

Login as John:

vault login -method=userpass username=john

Tried to add a secret to the path secret/department1/db/mysql/server1 (this fails as john, but works as root)

vault kv put secret/department1/db/mysql/server1 login=guest password=123 server=127.0.0.1 port=3306

I am guessing is something wrong, maybe on the policy, some base principle I am missing, but could not find the answer on the docs.

Any ideas?

jeffsanicola · March 9, 2022, 8:42pm

Looks like you’re using KVv2. Try changing the path to "secret/data/department1/*". There are several other permissions you might want to investigate - see the KVv2 docs and API guide for more details around the applicable paths.

Topic		Replies	Views
Restricting access to key+value pairs using policies Vault	5	539	September 7, 2020
ACL Policy - permission denied Vault	3	1274	November 9, 2021
Problem creating a shared policy for all users Vault vault	6	797	November 12, 2021
Vault policies - no permissions error Vault	2	481	November 17, 2020
Path capability includes create, but kv put is denied?! Vault	3	416	December 21, 2020

Permission denied using userauth with specific policy

Related topics