I’m pulling my hair out. This is a fresh install of vault/consul for testing (1.7.1). So I can create secrets in the UI logged in with root token (secret/jenkins/gitlab username, password) which I did just fine.
Ok, so I’m using this for jenkins casc configuration and nothing is populated in the credential. So I go to check to see if I can see the kv with the CLI
vault kv get secret/jenkins/gitlab/username
Error making API request.
URL: GET
http://vault.xxx.xxx:8200/v1/sys/internal/ui/mounts/secret/jenkins/gitlab/username
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to
path "secret/jenkins/gitlab/username/"
But I’m logged in with root token???
I am also unable to create secrets from the CLI like so:
vault kv put secret/test test=test
basically the same error as above, it doesn’t want to give me any access even when logged in with the root token.
I have Terraform working using the GCP auth method with the root token so I have to be missing something here, and I’m following the docs closely as I’m a noob to Vault. Any ideas?
Thanks for the response gitlab is the secret with two keys, username and password.
Running the above command yields: root
However, running:
vault kv get secret/jenkins/gitlab
Error making API request.
URL: GET http://xxx.xxx.xxx:8200/v1/sys/internal/ui/mounts/secret/jenkins/gitlab
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to
path "secret/jenkins/gitlab/"
But, if I do a:
vault kv get kv/jenkins/gitlab
====== Metadata ======
Key Value
— -----
created_time 2021-05-07T14:14:50.773535865Z
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password mypassword
username myusername
So, I don’t know what to think here. Either I’m doing something wrong or the documentation needs some serious work, none of it is straight forward. With the KV store I’ve seen all kinds of different ways of referring to a path, even some that have “data” injected into it. Can’t make heads or tails of it.
vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_0b69ff58 per-token private secret storage
gcp/ gcp gcp_2e50dca2 n/a
identity/ identity identity_275ab38f identity store
kv/ kv kv_ab415514 n/a
sys/ system system_11515026 system endpoints used for control, policy and
debugging
I followed this document, I never typed in the word secret until the ACL rules section. kv docs
It’s not very clear at all, the only place I typed in kv was the first step when I enabled it.
The only reason I changed it to kv in the path to see if it would work was running the command above and seeing the path there. I still can’t create any secrets with
vault kv put secret/…/
on the command line, but I can in the UI.
That is expected. vault secrets list does not have secret/ as a KV path.
If you want to use secret/ you need to: $ vault secrets enable -path=secret kv Success! Enabled the kv secrets engine at: secret/
Or, run in dev mode…Many tutorials will have you run Vault in dev mode - which has Additionally, when running a dev-mode server, the v2 kv secrets engine is enabled by default at the path secret/