I use the secret kv engine. When writing an ACL policy, if the path is only written as secret/*, the user is able to access the related path, subpaths and secret; however, as soon as other paths are added after secret/, it results in the user not being able to access the corresponding path, subpaths and secret.
OK:path "secret/*" { capabilities = [ "read"、"list"] }
NO:path "secret/sec/*" { capabilities = [ "read"、"list"] }
Where did it go wrong? Thank you! Sorry for my bad English.
Translated with DeepL.com (free version)
The KV-V2 engine requires a slight change in regards to policies as the KV-V2 engine stores metadata, in addition to the standard data. You need to specify both metadata and data.
path "kv/data/path/to/secret" {
capabilities = ["read", "list"]
}
path "kv/metadata/path/to/secret" {
capabilities = ["read", "list"]
}
This can be shortened to a single policy, when using the + attribute.
path "kv/+/path/to/secret" {
capabilities = ["read", "list"]
}
It seems like to require list for metadata(or +). Now it works, thank you!
path "secret/metadata/" { capabilities = ["list"] }
path "secret/+/sec/*" { capabilities = ["read", "list"] }
