Policies not working on more levels. OICD Auth

Vault
1

Hello,
Im using the OIDC authentication with Azure. IT works well and it looks the group mapping also works.
But when I try to define the policies its not working.

Like
If I set this policy its working without any problem

path "secret/*" {
    capabilities = ["list"]
}

but when I want to fine tune and enable access to one of the key, its started not working. IT looks Vault ignoring the second rule.

path "secret/*" {
    capabilities = ["list"]
}

path "secret/kv-reader/kv-reader-test1" {
    capabilities = ["create", "read", "update", "patch", "delete", "list"]
}

I tried the following also and with ‘*’ too, but no success

path "secret/*" {
    capabilities = ["list"]
}

path "secret/kv-reader" {
    capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
2

I am going to guess that your secret/ is a KV v2 secrets engine.

These frequently cause great confusion for new policy authors.

The URLs you use with the KV v2 secrets engine all have an extra path segment inserted between the base path of the secrets engine, and the path within the secrets engine that you see in the UI, or use with the vault kv ... set of CLI commands.

if your KV v2 secrets engine is mounted at secret/ and you are working with a secret within it at path/to/key, the URL-paths you will actually use will be:

  • secret/data/path/to/key - Implements create, update, read, delete, patch - used for most common operations EXCEPT list.
  • secret/metadata/path/to/key - Implements list, create, update, read, delete - used for list, modifying per-secret configuration settings, modifying per-secret custom metadata, and deleting the full version history of a secret.
  • secret/delete/path/to/key - Implements update capability only - soft delete of a single version of a secret.
  • secret/undelete/path/to/key - Implements update capability only - reverses soft delete of a single version of a secret.
  • secret/destroy/path/to/key - Implements update capability only - permanently wipes a single version of a secret.
  • secret/subkeys/path/to/key - Implements read capability only - returns JSON structure of secret with the values filtered out.

It is these URL-paths which would appear in your policies.

The URL layout of the KV v2 secrets engine confuses many people - if you’re going to be using them, it is good to take some time to carefully read through what operations exist on the various KV v2 subpaths, at KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer.

2 Likes