We’re running a poc of vault and are having issues with policies working in the API. They work in the CLI and Web UI, but get a permission denied when run from the API. I haven’t had any luck with finding a solution from forum posts or Hashicorp’s documentation for Vault.
I’m still rather new to setting up and managing Vault as is my team.
Here’s the setup
Vault version: 1.13.2
OS: Red Hat Enterprise Linux 8.7
KV Engines: v2
Certificate: CSR generated on Vault system and issued by internal CA
Here is the policy that we are trying to get working:
# List dev test key/value secrets metadata.
path "kv-dev/metadata/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# List, create, update, and delete dev test secrets
path "kv-dev/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# List, create, update, and delete dev test secrets
path "kv-dev/deleted/*" {
capabilities = ["update"]
}
# List, create, update, and delete dev test secrets
path "kv-dev/undelete/*" {
capabilities = ["update"]
}
# List, create, update, and delete dev test secrets
path "kv-dev/destroy/*" {
capabilities = ["update"]
}
curl request:
curl 'https://vault_server:8200/v1/secret/data/kv-dev/pocs/test' --header 'X-Vault-Token: vaul_token' --header 'Content-Type: application/json'
The response from the curl request always comes back with:
forbidden 403
"errors": [
"1 error occurred:\n\t* permission denied\n\n"
]"
As stated, the CLI and the Web UI work just fine.