$ vault token capabilities s.Y4LtoeoB4VNR4PDt0axXyWlb secret/public
list, read
$ VAULT_TOKEN=s.Y4LtoeoB4VNR4PDt0axXyWlb vault kv get secret/public
Error reading secret/data/public: Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/public
Code: 403. Errors:
* 1 error occurred:
* permission denied
What am I missing here?
The policy file used:
path "secret/public" {
capabilities = [“read”, “list”]
}
Hi, dewan.
If you look at the error message from your “kv get” command you’ll see it’s complaining about secret/data/public. The kv-v2 secret engine mounted at secret has a subpath secret/data for reads and writes, and secret/metadata for metadata, and one called secret/config for configuration.
To read, you need access to secret/data/public; there’s nothing at secret/public. The vault kv command takes care of accessing the right path depending on the type of the mount, but the policy needs to specify the complete path.
See https://www.vaultproject.io/api/secret/kv/kv-v2.html for details of the different paths under a kv-v2 mount point.
thanks @mgritter
after updating the policy file with
path “secret/data/public” {
capabilities = [“read”, “list”]
}
the command worked. Thanks for the helpful link and explanation. Much appreciated 