Unable to create KV secret with CLI, but can in UI (using root token)

Hi all,

I’m pulling my hair out. This is a fresh install of vault/consul for testing (1.7.1). So I can create secrets in the UI logged in with root token (secret/jenkins/gitlab username, password) which I did just fine.

Ok, so I’m using this for jenkins casc configuration and nothing is populated in the credential. So I go to check to see if I can see the kv with the CLI

vault kv get secret/jenkins/gitlab/username
Error making API request.

URL: GET 
http://vault.xxx.xxx:8200/v1/sys/internal/ui/mounts/secret/jenkins/gitlab/username
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to 
path "secret/jenkins/gitlab/username/"

But I’m logged in with root token???

I am also unable to create secrets from the CLI like so:
vault kv put secret/test test=test

basically the same error as above, it doesn’t want to give me any access even when logged in with the root token.

I have Terraform working using the GCP auth method with the root token so I have to be missing something here, and I’m following the docs closely as I’m a noob to Vault. Any ideas?

Thanks

What does
$ vault token capabilities secret/jenkins/gitlab/username say?
Is username the actual secret, or a key in the secret?

Hi,

Thanks for the response gitlab is the secret with two keys, username and password.

Running the above command yields: root

However, running:
vault kv get secret/jenkins/gitlab
Error making API request.

URL: GET http://xxx.xxx.xxx:8200/v1/sys/internal/ui/mounts/secret/jenkins/gitlab
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to 
path "secret/jenkins/gitlab/"

But, if I do a:
vault kv get kv/jenkins/gitlab
====== Metadata ======
Key Value
— -----
created_time 2021-05-07T14:14:50.773535865Z
deletion_time n/a
destroyed false
version 1

====== Data ======
Key         Value
---         -----
password     mypassword
username    myusername

So, I don’t know what to think here. Either I’m doing something wrong or the documentation needs some serious work, none of it is straight forward. With the KV store I’ve seen all kinds of different ways of referring to a path, even some that have “data” injected into it. Can’t make heads or tails of it.

It appears you have a kv secret engine mounted at kv/ and another at secret/
$ vault secrets list

Can you link to the doc you’re following that has you creating something at secret but reading it at kv or vice-versa? That’d be a problem for sure…

vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_0b69ff58    per-token private secret storage
gcp/          gcp          gcp_2e50dca2          n/a
identity/     identity     identity_275ab38f     identity store
kv/           kv           kv_ab415514           n/a
sys/          system       system_11515026       system endpoints used for control, policy and 
debugging

I followed this document, I never typed in the word secret until the ACL rules section.
kv docs

It’s not very clear at all, the only place I typed in kv was the first step when I enabled it.

The only reason I changed it to kv in the path to see if it would work was running the command above and seeing the path there. I still can’t create any secrets with
vault kv put secret/…/
on the command line, but I can in the UI.

That’s not really a top to bottom tutorial.
You might want to run thru this - Versioned Key/Value Secrets Engine | Vault - HashiCorp Learn

That is expected. vault secrets list does not have secret/ as a KV path.
If you want to use secret/ you need to:
$ vault secrets enable -path=secret kv
Success! Enabled the kv secrets engine at: secret/

Or, run in dev mode…Many tutorials will have you run Vault in dev mode - which has
Additionally, when running a dev-mode server, the v2 kv secrets engine is enabled by default at the path secret/

Thanks Mike, I’ll run through those docs instead, but at least I’m getting somewhere now :slight_smile: