Vault policies - no permissions error

mww-77 · November 17, 2020, 4:29pm

Hi,
I had issues with granting access to a vault secret path.
my secret path is inside this folder:
secret/data/project1/group1/
I have my policy as:

path “secret/data/project1/group1/*” {

capabilities = [“read”, “list”]

}

I have atttached this policy to group1 LDAP.
when I login I can see the secret/ folder. however when I try to access it it gives me permission denied.
I am using kv v2 engine.
I also tried to add /data to my root path like below, still no luck:

path “secret/data/data/project1/group1/*” {

capabilities = [“read”, “list”]

}

it works if I put * at the root level(below) but this is not what I am looking for since there are different project folder within the root.
path “secret/*” {

capabilities = [“read”, “list”]

}

any suggestions?

Wolfsrudel · November 17, 2020, 7:38pm

“Login” meaning the Ui?

You will need the list capability for the metadata path, not the data

path “secret/metadata/data/project1/group1/*” {
  capabilities = [“list”]
}

mww-77 · November 17, 2020, 9:41pm

hi Wolf,
yes from the UI.
it still gives me no permission after I click on secret.
so the structure is : secret -> data/data1/data2 ->project1(inside data)-> group1/

I am trying policy as :
path “secret/metadata/data/project1/group1/*” {

capabilities = [“list”]

}

still in the UI when I click on the root level secret, right after this I see no permissions.

Topic		Replies	Views
Policy issues using sub folder permissions Vault	2	2403	March 1, 2021
Cannot list despite list permission in policy Vault vault	2	1067	October 24, 2022
Is policy limited for engine level only or all path & sub-path? Vault vault , policy-as-code	5	958	May 24, 2022
Permission denied using userauth with specific policy Vault	1	468	March 9, 2022
Not understanding Vault policies for secret paths Vault	8	2770	June 7, 2021

Vault policies - no permissions error

Related topics