Unable to "Read" although token seems to have the capability

$ vault token capabilities s.Y4LtoeoB4VNR4PDt0axXyWlb secret/public
list, read
$ VAULT_TOKEN=s.Y4LtoeoB4VNR4PDt0axXyWlb vault kv get secret/public
Error reading secret/data/public: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret/data/public
Code: 403. Errors:

* 1 error occurred:
	* permission denied

What am I missing here?

The policy file used:

path "secret/public" {

capabilities = [“read”, “list”]
}

Hi, dewan.

If you look at the error message from your “kv get” command you’ll see it’s complaining about secret/data/public. The kv-v2 secret engine mounted at secret has a subpath secret/data for reads and writes, and secret/metadata for metadata, and one called secret/config for configuration.

To read, you need access to secret/data/public; there’s nothing at secret/public. The vault kv command takes care of accessing the right path depending on the type of the mount, but the policy needs to specify the complete path.

See https://www.vaultproject.io/api/secret/kv/kv-v2.html for details of the different paths under a kv-v2 mount point.

1 Like

thanks @mgritter

after updating the policy file with

path “secret/data/public” {
capabilities = [“read”, “list”]
}

the command worked. Thanks for the helpful link and explanation. Much appreciated :pray: