Vault_kv_secret_v2 require access to the metadata/… path

Nivedita-coder · October 15, 2025, 9:33am

Hi folks,
I’m using terraform with Vault KV v2 to manage secrets. When I try to update a secret for the first time, I get the following error:

vault_kv_secret_v2.user: Modifying… [id=xxxx/data/]
╷
│ Error: error writing custom metadata to xxxx/metadata/xxxx, err=Error making API request.
│
│ URL: PUT v1/xxxx/metadata/xxxx
│ Code: 403. Errors:
│
│ * 1 error occurred:
│ * permission denied
│
│
│ with vault_kv_secret_v2.user,
│ on main.tf line 49, in resource “vault_kv_secret_v2” “user”:
│ 49: resource “vault_kv_secret_v2” “user” {

Interestingly, if I try the same operation a second time, it succeeds.Why does vault_kv_secret_v2 require access to the metadata/… path even if I’m only updating a secret under data/…?

apparentlymart · October 16, 2025, 10:55pm

Hi @Nivedita-coder,

Based on the source code implementing this resource type in the hashicorp/vault provider, it seems like this request is handling the value of the custom_metadata argument in vault_kv_secret_v2:

github.com/hashicorp/terraform-provider-vault

vault/resource_kv_secret_v2.go

a40720c81


      
          	// Write custom metadata for secret if provided
          	if _, ok := d.GetOk(consts.FieldCustomMetadata); ok {
          		cm := getCustomMetadata(d)
          
          		metadataPath := getKVV2Path(mount, name, consts.FieldMetadata)
          		log.Printf("[DEBUG] Writing custom metadata for secret at %s", path)
          		if _, err := client.Logical().Write(metadataPath, cm); err != nil {
          			return diag.Errorf("error writing custom metadata to %s, err=%s", metadataPath, err)
          		}
          	}

I notice that you already found this because you linked to it from a different issue, but just to make this link visible to anyone who finds this forum post there seems to be a bug where the provider calls this endpoint even when custom_metadata is unset:

github.com/hashicorp/terraform-provider-vault

bug: vault_kv_secret_v2 Permission denied for prefix/metadata/my/path/here

opened 05:08PM - 02 Jun 23 UTC

kiwimato

### Terraform Version ``` $ terraform -v Terraform v1.4.6 on linux_amd64 ``…` ### Affected Resource(s) - vault_kv_secret_v2 ### Terraform Configuration Files ```hcl resource "vault_kv_secret_v2" "test" { mount = "prefix" name = "my/path/here" cas = 1 delete_all_versions = true data_json = jsonencode( { bam = "bam", } ) } ``` ### Debug Output Actual request after setting `TF_LOG=DEBUG`: ``` 2023-06-02T18:31:56.141+0200 [INFO] provider.terraform-provider-vault_v3.15.2_x5: 2023/06/02 18:31:56 [DEBUG] Reading metadata for KVV2 secret at prefix/metadata/my/path/here: timestamp=2023-06-02T18:31:56.140+0200 2023-06-02T18:31:56.141+0200 [INFO] provider.terraform-provider-vault_v3.15.2_x5: 2023/06/02 18:31:56 [DEBUG] Vault API Request Details: ---[ REQUEST ]--------------------------------------- GET /v1/prefix/metadata/my/path/here HTTP/1.1 Host: redacted.system User-Agent: Go-http-client/1.1 X-Vault-Request: true X-Vault-Token: redacted Accept-Encoding: gzip ``` Response: ``` ---[ RESPONSE ]-------------------------------------- HTTP/2.0 403 Forbidden Content-Length: 60 Cache-Control: no-store Content-Type: application/json Date: Fri, 02 Jun 2023 16:31:56 GMT Strict-Transport-Security: max-age=15724800; includeSubDomains ``` ### Expected Behavior The secrets get created in Vault without Terraform popping out any errors. ### Actual Behavior The Vault secrets ARE getting created, however, the command fails afterwards with the error below. After creation it also fails on `terraform plan`, I assume it tries to read data from the wrong URL after creation. I also tried using a `data` instead to read whatever was created there and it gives the same error, so it might confirm it's a problem reading it. ``` │ Error: Error making API request. │ │ URL: GET https://redacted.system/v1/prefix/metadata/my/path/here │ Code: 403. Errors: │ │ * 1 error occurred: │ * permission denied ``` Tried debugging it, and it seems even with my admin credentials the path containing `metadata` doesn't exist but the one with `data` does: ``` $ vault read prefix/data/my/path/here Key Value --- ----- data map[redacted] metadata map[created_time:2023-06-02T15:47:09.015986611Z custom_metadata:<nil> deletion_time: destroyed:false version:1] $ vault read prefix/metadata/my/path/here Error reading prefix/metadata/my/path/here: Error making API request. URL: GET https://redacted.system/v1/prefix/metadata/my/path/here Code: 403. Errors: * 1 error occurred: * permission denied ``` ### Steps to Reproduce Please list the steps required to reproduce the issue, for example: 1. `terraform plan` - no errors, just says it wants to create the secret. 2. `terraform apply` - errors out with permission denied 3. `terraform plan` - errors out with permission denied ### Important Factoids None that I know of. ### References I assume it could be related to #1719 cc @vinay-gopalan

Topic		Replies	Views
Vault_kv_secret_v2 require access to the metadata/... path even if I’m only updating a secret under data/ Vault	1	38	October 16, 2025
Vault_kv_secret_v2 require access to the metadata/… path even if I’m only updating a secret under data/ Terraform Providers	0	17	October 7, 2025
Write secret to Vault Enterprise with Terraform Vault	7	1038	January 5, 2022
Unable to create KV secret with CLI, but can in UI (using root token) Vault	6	2596	May 7, 2021
KV Secret Engine - API Not working Vault	10	3933	May 5, 2020

Vault_kv_secret_v2 require access to the metadata/… path

Related topics