Unable to Delete Auth Method (Even with All Permissions on All Paths)

Vault
1

Docker image 1.3.0

Hello!

I have the following policy:

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

It is named ‘fbn-vault-superadmin’, as it should (if I am not mistaken) give all access to all paths.

I login via the CLI and obtain this policy in my token:

Key                    Value
---                    -----
token                 -
token_accessor         oj8zjeBuZj4H0unhxmjC8Xia
token_duration         5m
token_renewable        true
token_policies         ["default" "fbn-vault-admin" "fbn-vault-general-user" "fbn-vault-superadmin"]
identity_policies      []
policies               ["default" "fbn-vault-admin" "fbn-vault-general-user" "fbn-vault-superadmin"]
token_meta_policies    fbn-vault-general-user,fbn-vault-admin,fbn-vault-superadmin
token_meta_username    jhwbarlow@foo.com

I try to delete an auth method:

vault auth disable oidc
Error disabling auth method at oidc/: Error making API request.

URL: DELETE https://vault.foo.com/v1/sys/auth/oidc
Code: 403. Errors:

* 1 error occurred:
	* permission denied

I try a different way:

vault delete sys/auth/oidc
Error deleting sys/auth/oidc: Error making API request.

URL: DELETE https://vault.foo.com/v1/sys/auth/oidc
Code: 403. Errors:

* 1 error occurred:
	* permission denied

I try logging in using a different auth method (AppRole) to get a different policy (‘terraform-bootstrap’) which should also have sufficient permissions to delete auth methods:

<snip>
path "sys/auth"
{
  capabilities = ["read", "list"] 
}

path "sys/auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"] 
}
<snip>

Key                     Value
---                     -----
token                   -
token_accessor          5MzPB3tSCFRZU9nBjDXmufbn
token_duration          15m
token_renewable         true
token_policies          ["default" "terraform-bootstrap"]
identity_policies       []
policies                ["default" "terraform-bootstrap"]
token_meta_role_name    terraform-bootstrap

vault delete sys/auth/oidc
Error deleting sys/auth/oidc: Error making API request.

URL: DELETE https://vault.foo.com/v1/sys/auth/oidc
Code: 403. Errors:

* 1 error occurred:
	* permission denied

It is not just this auth method endpoint/mount, I face the same issue (under both aforementioned logins) for other auth methods as well:

vault delete sys/auth/userpass
Error deleting sys/auth/userpass: Error making API request.

URL: DELETE https://vault.foo.com/v1/sys/auth/userpass
Code: 403. Errors:

* 1 error occurred:
	* permission denied

I’m completely :confounded: by this.

Thanks

2

Few things to check.
Does Docker Version 1.3.0 mean Vault 1.3.0? Might be worth upgrading to a later dot release anyways, a bit of fixes and even a CVE or two in 1.3.0 I recall.

You’re running Vault on port 443/https? Not 8200 as default?

Are you sure you don’t have a policy somewhere with deny /sys/? Any deny will override any other policy to allow it.

Are you using namespaces in Vault (enterprise)?

Can you share output of:
$ vault auth list

And
vault token capabilities token-here /sys/auth/
vault token capabilities token-here /sys/auth/oidc