Understanding of secrets move command

There’s some test vault installation
There’s some role with policy like this

path "sys/mounts" { capabilities = ["list", "read", "create", "update", "delete"] }
path "sys/mounts/*" { capabilities = ["list", "read", "create", "update", "delete"] }
path "sys/remount" { capabilities = ["list", "read", "create", "update", "delete"] }

When i try to remount storage i got error

vault secrets move secret/path1 secret/path2 
Error moving secrets engine secret/path1/ to secret/path2/: Error making API request.

URL: POST http://vault.local:8200/v1/sys/remount
Code: 403. Errors:

* 1 error occurred:
        * permission denied

Same command via CURL

curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"from":"secret/path1","to":"secret/path2"}' http://vault.local:8200/v1/sys/remount

{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

What am i doing wrong? Should i ask for additional permissions?

Is secret the mount or secret/path1'? What does list secrets` show?

vault secrets move moves secret engine mounts, not paths within a secret.

Can you perform the operation with a root/highly priv’d token?

I try to move KV storage to another path.
There’s secret/path1 KV1 storage

vault secrets list 
secret/path1                                 kv                                   kv_9bd5a550           description

It works with root token.

Is there any case to define what privilege required to execute any action?

So that should work. I’m not familiar with policy for remount, but you might try adding sudo to the sys/remount policy. It might be a root protected path.

it’s root protected

1 Like
1 Like