I have a fresh installation of Vault. I’ve created an admin policy using this template and then created a dev/ KV backend while logged in as the admin. The issue is that I can’t see the secret listed in the UI, but I can see it using CLI’s
vault secrets list
Weirdly enough, I could see the backend if I logged in to the UI using the root token.
Now, by sniffing the http traffic I saw that the CLI calls
The former returns dev/, cubbyhole/, identity/ and sys/ while the latter returns only cubbyhole/, identity/ and sys/. In both requests I’m using the same token for admin user, however If I were to use the root token, I’d see dev/ in both requests.
I couldn’t find in the docs what permissions is the sample admin policy missing which prevents it to see the backends in web UI.
There is no such thing as an ‘admin’ user in vault. There is the root token (which you should actually revoke as soon as you’re done setting up) and then there is everyone else.
A token has every policy.
Everyone else falls under the default policy which is “DENY” first. You specifically have to allow them access to see it. The UI has different paths and requirements, so it’s possible that a policy allowed API access to something where the UI doesn’t.
If you’re unsure of what to allow, turn on the audit log and go to the webpage, you’ll see the failures in the log and you can try add the paths into your policy that you would like to have access.
There isnt by default, but there is admin policy template which I linked in my original post. I applied it and assigned to an entity, which I used in this example.
Debugging using this method would be the last resort. I therefore asked for a reference in the docs as the use-case doesnt sound that unordinary