Vault secret backend disappeared from UI

I’m using vault 1.6 version. I have mounted KV-2 on path /secret and created few folders and secrets inside. Now the mount point /secret is not appearing in UI, however when I list it from CLI, I can see it. Anyone else faced this issue before?

H’m. Sounds like a policy issue. Does your token have the same policies attached in both cases?

Yes, and I checked with root token in both case.

Ah. I was going to suggest something like this:

But a root token wouldn’t have any of those problems. Strange.

Indeed it seems like a policy issue, The mount is appearing in UI of another user with the required privilege. And still not sure why its not working with root token (double checked it is root token).

Thanks so much for your reply.

Wow. That’s even stranger: that the behaviour of it not appear in the UI isn’t even universal. Would you mind posting all the policies associated with the user/token that is able to list the mount in the UI?

This is the policy attached to the user that is able to list the mount in UI.

path "secret/*" {
  		capabilities = ["list"]
}
path "secret/data/platform/*" {
  		capabilities = ["read", "list"]
}

Yeah, you’ll need

path "secret/metadata" {
  		capabilities = ["list"]
}

to list it in the Ui.

But I thought there were literally no restrictions on a root token… So confused right now. :stuck_out_tongue_winking_eye: [Edit: oh, and the above policy was actually sufficient for that session to list the path in the UI. Which is even stranger, in the light of what you’ve raised, @Wolfsrudel.]

Even for the root token?

Yeah, this is strange at all. But I thought I would clarify why the other user can see the path in the Ui :sweat_smile:

Can you use the integrate shell (in the Ui) to list the capabilities for your token?

vault token capabilities secret/metadata
1 Like

murali@tvmb vault-terraform $ vault token capabilities secret/metadata
root

And Im able to list and read secrets mounted in /secret from CLI.

I don’t mean the shell/cli, but the shell in the Ui. Wait…

The button left to the red circle.

It drops down a shell like window.

1 Like

Yeah, in UI shell only has limited capabilities.

1 Like

OK, the command cannot be executed there. The vault command is limited there.

Have you tried logging out, clearing browser cache und stuff, and logging in again? This is a tricky one.

Yes, I tried that as well. Now just restarted all vault instances and it reappeared in UI.

Thanks so much @Wolfsrudel and @jlj7 for your help.

2 Likes

TBH I too have seen strange behaviour in the UI, but never was able to pinpoint it :frowning: