Understanding Vault policies behavior


There’s something weird that I don’t understand with the vault policies.

My policy looks like that:

path "secret/*" {
  capabilities = ["create"]

path "secret/foo" {
  capabilities = ["read"]

Two things I would like to understand:

  1. Why can I read the “foo” secret only if add this path:

    path "secret/data/foo" {
      capabilities = ["read"]

    and also it can be done only from the CLI and not from GUI

  2. Another things, I added in both “foo” paths I stated above the list capability, but no matter
    what I do I can’t see it in the CLI nor in the GUI

What am I missing here?


Which kv version are you using?

It’s V2, but I understood my issue, I see there’s a major difference between with /data/ and without it.
Also I understood by this time the usage of /metadata/, without it you can’t list secrets.

But now i’m experiencing this bug:

I also added a comment on this bug on how to sort of workaround it.