Restricting access to key+value pairs using policies

Hello

I’m using some code to create kv secrets (usernames and passwords information) and wanted to restrict “read” only to username key using policies.
I was looking at “Parameter Constraints” documentation and tried to use “read” instead of “create” but still got all the parameters in the response.

Best regards,
Mário

Can you share your policy definition with us?

Sure:

path "kv/data/hostname" {
  capabilities = [ ]
}

path "kv/data/hostname" {
  capabilities = [ "read" ]
  allowed_parameters = {
    "user" = []
  }
}

With only the first part I got a permission denied as expected, with the two parts I get all parameters, not only user. Tried also adding the following:

path "kv/data/hostname" {
  capabilities = [ "read" ]
  denied_parameters = {
    "password" = []
  }
}

I’m curious if this is possible as well. Did you ever find a solution to this?

My understanding is that the usage of allowed/denied parameters is intended to control what is written, doesn’t extend to the retrieval of secrets.
So far the only solution I came up is to split by paths, e.g., kv/data/hostname/user, kv/data/hostname/password and apply policies accordingly.