Vault policy to show the path and key and deny the value

elan · November 23, 2021, 6:27pm

Hi All,

I am trying to write a policy for kv secret engine to show the path and key and deny the value

For example :

secret Path :
kv/path1/path2/key=value

Policy :
path “*” {
capabilities = [“list”]
}

expected in the UI is, I would like to see the everything except the value.

i.e, kv/path1/path2/key

but i can see only the path but can’'t able to see the key. could you please help me with the policy of how to get the key with the value

jeffsanicola · November 23, 2021, 6:59pm

Hi @elan,

I don’t believe it’s possible to create a policy to view partial secret content.

When viewing a secret in the UI, your browser fetches the entire secret content (all keys and associated values) and the just masks the values by default.

rgevaert · November 25, 2021, 12:12pm

Well, it looks I had exactly the same question two days later:

Topic		Replies	Views
Vault policy write only + read parameters too Vault	5	2166	November 28, 2021
Is policy limited for engine level only or all path & sub-path? Vault vault , policy-as-code	5	970	May 24, 2022
Vault Policy Question Vault vault	6	1671	December 17, 2020
Not understanding Vault policies for secret paths Vault	8	2778	June 7, 2021
Understanding Vault policies behavior Vault	2	360	November 16, 2019

Vault policy to show the path and key and deny the value

Related topics