Understanding Vault policies behavior

mfuxi · November 13, 2019, 6:16am

Hi,

There’s something weird that I don’t understand with the vault policies.

My policy looks like that:

path "secret/*" {
  capabilities = ["create"]
}

path "secret/foo" {
  capabilities = ["read"]
}

Two things I would like to understand:

Why can I read the “foo” secret only if add this path:
```
path "secret/data/foo" {
  capabilities = ["read"]
}
```
and also it can be done only from the CLI and not from GUI
Another things, I added in both “foo” paths I stated above the list capability, but no matter
what I do I can’t see it in the CLI nor in the GUI

What am I missing here?

Thanks!

mikegreen · November 15, 2019, 4:31pm

Which kv version are you using?

mfuxi · November 16, 2019, 12:32pm

It’s V2, but I understood my issue, I see there’s a major difference between with /data/ and without it.
Also I understood by this time the usage of /metadata/, without it you can’t list secrets.

But now i’m experiencing this bug:

I also added a comment on this bug on how to sort of workaround it.

Topic		Replies	Views
Not understanding Vault policies for secret paths Vault	8	2807	June 7, 2021
KV v2 list policy to hide all subpaths except for one Vault vault	4	1842	November 27, 2020
[Resolved] Vault Acl policy [newbie] Vault	2	124	April 3, 2024
Need clarification on policies Vault	7	712	April 13, 2021
Vault policy write only + read parameters too Vault	5	2257	November 28, 2021

Understanding Vault policies behavior

Related topics