Trying to understand path mapping with LDAP groups

I’m new to Vault, and I’m trying to setup Vault to connect to active directory, and allow a specific group to manage (create, update, read, delete) a Key/Value v2 engine named ‘sandbox’.

I have the LDAP side working, as I’m able to sign in via vault login -method=ldap and I get back a good token.

vault login -method=ldap
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                          xxxxxxxxxxxxxxxxxxxxxxxxxxxx
token_accessor         xxxxxxxxxxxxxxxxxxxxxxxxxxxx
token_duration         10h
token_renewable        true
token_policies         ["default" "policy-vault-sandbox"]
identity_policies      []
policies               ["default" "policy-vault-sandbox"]
token_meta_username    mdelaney

I have a policy called policy-vault-sandbox which is defined as:

cat <<EOF | vault policy write policy-vault-sandbox -
  path "secret/sandbox/*" {
    capabilities = ["create", "update", "read", "delete"]

This all seems fine, but when I sign into the UI the sandbox engine doesn’t show up, and when try via vault list secret/sandbox/, I get a permission denied error.

What am I doing wrong?

  • Mike D.

i think your missing list from capabilities

Stupid question, but did you even enable your sandbox k/v secrets engine? I can’t see the command for it. And if you did, for k/v version two you’ll need to add data and metadata to the paths.

And for the ui, as mentioned by @hijak, you’ll need list, too.