Use a policy to make certain secrets invisible from the list

Hello
I created a secret engine called ‘kv’ and created a secret engine called ‘aa’ and ‘bb’.
Through the policy, I want to make the secret ‘aa’ invisible to users and show ‘bb’ in the list.

I’ve tried the following:

path "kv/*" {
   capabilities = ["create", "update", "delete", "read", "list"]
}
path "kv/data/aa" {
   capabilities = ["deny"]
}
path "kv/metadata/aa" {
   capabilities = ["deny"]
}

‘aa’ is still displayed in the secret list of kv secret engine in vault’s web UI.
When clicked, the following message is displayed. ‘You do not have permission to read this secret.’

Is it possible to make the ‘aa’ secret invisible from the list?

Vault does not have the feature you’re describing, unfortunately.

You can only either allow the whole list operation to succeed, or be denied. There is no filtering of the returned list based on additional ACL evaluations of subpaths.

1 Like