Vault Token works in CLI but not web GUI

Running into an odd issue. We have a policy setup attached to an LDAP group. The user is able to login to the web GUI , but unable to hit a sub-path that he has read permissions on.

When checking the capabilities in the CLI (in the web GUI) he is able to read and create secrets at the sub-path.

Here is the policy:

path "/top-path" {
  capabilities = ["read"]

# read all on secrets
path "/top-path/sub-path" {
  capabilities = ["read", "list", "create"]

# allow all on secrets
path "/top-path/sub-path/*" {
  capabilities = ["create", "read", "update", "delete", "list"]

You probably want list in the first item for this to work in the UI. Because you use absolute paths in the CLI you don’t run into this, but since you “click through” in the UI you would need list to render the oaths contained there.


Thanks, that worked.

1 Like