Hi,
I have set up OIDC auth for vault. However, the secret engines are not visible in the web UI. I only get the cubbyhole secrets engine.
However, when using the same token via cli, all secret engines are listed:
Key Value
--- -----
aws/ map[accessor:aws_71f7b4e7 config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0] deprecation_status:supported description: external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:aws uuid:65951f1a-23de-23a1-d013-3d2351ab288e]
bla/ map[accessor:kv_a41b60fc config:map[default_lease_ttl:0 force_no_cache:false listing_visibility:hidden max_lease_ttl:0] deprecation_status:supported description: external_entropy_access:false local:false options:map[version:2] plugin_version: running_plugin_version:v0.21.0+builtin running_sha256: seal_wrap:false type:kv uuid:36db0ce9-0c6f-d531-fda0-f3e50b17beed]
cubbyhole/ map[accessor:cubbyhole_0ba1f259 config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0] description:per-token private secret storage external_entropy_access:false local:true options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:cubbyhole uuid:30ba4da2-8387-2f81-5227-71a81829c836]
identity/ map[accessor:identity_7be22bb5 config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0 passthrough_request_headers:[Authorization]] description:identity store external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:identity uuid:02384402-7268-fb04-a5ed-4d8e8e4d6801]
pki-web-intern-ecdsa/ map[accessor:pki_c8f4296f config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:315360000] deprecation_status:supported description: external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:pki uuid:45380891-026c-4bcc-e930-aa73163b0fa4]
pki-web-intern-rsa/ map[accessor:pki_b1fc5574 config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:315360000] deprecation_status:supported description: external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:pki uuid:94fc0b7e-703d-2a7c-f9bd-e0965d72cc2b]
sc_pki/ map[accessor:pki_f1cd8100 config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:315360000] deprecation_status:supported description: external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:pki uuid:1b9d0cf9-9d5a-6bf8-0d70-01969ec387cc]
sys/ map[accessor:system_07ee4f71 config:map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0 passthrough_request_headers:[Accept]] description:system endpoints used for control, policy and debugging external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:true type:system uuid:db84594c-cede-5513-5d53-1456a4b79c64]
The following is listed in the ACL:
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read", "list"]
}
path "/sys/internal/ui/mounts/*"
{
capabilities = ["read","list"]
}
path "/sys/internal/ui/mounts"
{
capabilities = ["read","list"]
}
I tried vault read /sys/internal/ui/mounts as well, which gives me the following output:
Key Value
--- -----
auth map[oidc/:map[accessor:auth_jwt_a9aa42ea config:map[default_lease_ttl:2764800 force_no_cache:false max_lease_ttl:2764800 token_type:default-service] deprecation_status:supported description: external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v0.23.0+builtin running_sha256: seal_wrap:false type:jwt uuid:238f81fb-4fe2-368a-4c4c-24664e84acb4] token/:map[accessor:auth_token_e1290654 config:map[default_lease_ttl:2764800 force_no_cache:false max_lease_ttl:2764800 token_type:default-service] description:token based credentials external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:token uuid:1d0c2976-914e-06e1-8e5c-b17cacf8085b]]
secret map[cubbyhole/:map[accessor:cubbyhole_0ba1f259 config:map[default_lease_ttl:2764800 force_no_cache:false max_lease_ttl:2764800] description:per-token private secret storage external_entropy_access:false local:true options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:cubbyhole uuid:30ba4da2-8387-2f81-5227-71a81829c836] identity/:map[accessor:identity_7be22bb5 config:map[default_lease_ttl:2764800 force_no_cache:false max_lease_ttl:2764800 passthrough_request_headers:[Authorization]] description:identity store external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:false type:identity uuid:02384402-7268-fb04-a5ed-4d8e8e4d6801] sys/:map[accessor:system_07ee4f71 config:map[default_lease_ttl:2764800 force_no_cache:false max_lease_ttl:2764800 passthrough_request_headers:[Accept]] description:system endpoints used for control, policy and debugging external_entropy_access:false local:false options:<nil> plugin_version: running_plugin_version:v1.19.0+builtin.vault running_sha256: seal_wrap:true type:system uuid:db84594c-cede-5513-5d53-1456a4b79c64]]
It seems that the UI endpoint only returns the cubbyhole secret engine. Can someone please explain why this is happening?
Vault version: 1.19.0