Vault_kv_secret_v2 require access to the metadata/… path even if I’m only updating a secret under data/

Nivedita-coder · October 7, 2025, 2:15pm

Hi folks,
I’m using terraform with Vault KV v2 to manage secrets. When I try to update a secret for the first time, I get the following error:

vault_kv_secret_v2.user: Modifying... [id=xxxx/data/]
╷
│ Error: error writing custom metadata to xxxx/metadata/xxxx, err=Error making API request.
│ 
│ URL: PUT v1/xxxx/metadata/xxxx
│ Code: 403. Errors:
│ 
│ * 1 error occurred:
│       * permission denied
│ 
│ 
│   with vault_kv_secret_v2.user,
│   on main.tf line 49, in resource "vault_kv_secret_v2" "user":
│   49: resource "vault_kv_secret_v2" "user" {

Interestingly, if I try the same operation a second time, it succeeds.Why does vault_kv_secret_v2 require access to the metadata/… path even if I’m only updating a secret under data/…?

Topic		Replies	Views
Vault_kv_secret_v2 require access to the metadata/... path even if I’m only updating a secret under data/ Vault	0	15	October 7, 2025
Write secret to Vault Enterprise with Terraform Vault	7	1024	January 5, 2022
Invalid path for a versioned K/V secrets engine Vault	2	21618	April 28, 2020
KV Secret Engine - API Not working Vault	10	3899	May 5, 2020
Managing secret metadata in Terraform Vault	4	1326	April 7, 2023

Vault_kv_secret_v2 require access to the metadata/… path even if I’m only updating a secret under data/

Related topics