Vault_kv_secret_v2 require access to the metadata/... path even if I’m only updating a secret under data/

Nivedita-coder · October 7, 2025, 12:03pm

Hi folks,
I’m using terraform with Vault KV v2 to manage secrets. When I try to update a secret for the first time, I get the following error:

vault_kv_secret_v2.user: Modifying... [id=xxxx/data/]
╷
│ Error: error writing custom metadata to xxxx/metadata/xxxx, err=Error making API request. │
│ URL: PUT v1/xxxx/metadata/xxxx │ Code: 403. Errors: │ │ * 1 error occurred: │ * permission denied │ │
│ with vault_kv_secret_v2.user, │ on main.tf line 49, in resource "vault_kv_secret_v2" "user": │ 49: resource "vault_kv_secret_v2" "user" {

Interestingly, if I try the same operation a second time, it succeeds.Why does vault_kv_secret_v2 require access to the metadata/... path even if I’m only updating a secret under data/...?

jonathanfrappier · October 16, 2025, 5:38pm

There is general metadata, such as secret version, stored about the secret:

https://developer.hashicorp.com/vault/tutorials/secrets-management/versioned-kv#write-secrets

I’m not sure why running the same TF config would error, then succeed on a second attempt. You can also write custom metadata, which would be a guess based on the error. Without understanding your specific config here I would be at best making uneducated guesses and assumptions.

Topic		Replies	Views
Vault_kv_secret_v2 require access to the metadata/… path even if I’m only updating a secret under data/ Terraform Providers	0	18	October 7, 2025
Vault_kv_secret_v2 require access to the metadata/… path Terraform	1	52	October 16, 2025
Invalid path for a versioned K/V secrets engine Vault	2	21728	April 28, 2020
Write secret to Vault Enterprise with Terraform Vault	7	1047	January 5, 2022
KV Secret Engine - API Not working Vault	10	3951	May 5, 2020

Vault_kv_secret_v2 require access to the metadata/... path even if I’m only updating a secret under data/

Related topics