Write multiple policies but only reads one

I’ve got a weird one during setup: Vault < (OIDC) > Keycloak

Vault v1.18.5
kubectl: Client Version: v1.32.3

1. port-forwarded out to the vault service
2. logged into Vault with the root token
3. I have full access via root token - no issues there

After sending the keycloak policy to vault:

vault policy write keycloak policy/keycloak-role.hcl

Contents of policy/keycloak-role.hcl: (referred to later as policy_lines)

# Mount the OIDC auth method
path "sys/auth/oidc" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the OIDC auth method
path "auth/oidc/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# List available secrets engines to retrieve accessor ID
path "sys/mounts" {
  capabilities = [ "read" ]
}

The only thing that can be read FROM that policy afterwards is:

% vault policy read keycloak
path "/secret/*" {
    capabilities = ["read", "list"]
}

This is not something that was even in policy/keycloak-role.hcl.

However, when I wrap the policy in EOF - it totally works:

% vault policy write keycloak - <<EOF
policy_lines
EOF

I can then, re-run the read operation and get ALL of it:

% vault policy read keycloak
policy_lines

Can someone help me understand why the
vault policy write keycloak policy/keycloak-role.hcl does NOT work but
the EOF method does?

This is troubling.

NOTE: I’m still testing policies and assume whatever is above is incorrect until testing is done.

If anyone has keycloak/Vault experience and can comment on that bit, also much appreciated.

I am not able to reproduce this behavior with the example provided.

Are there any existing policies with the same name in your Vault cluster?
Any policies with the output you weren’t expecting?
What OS/editor are you using? (Wondering if there is some character issue in the file maybe?)
Are there other HCL files in the policy/ directory?

I wrote the provided example to a local file using vi, then wrote the policy to vault.

vault policy write keycloak keycloak.hcl
Success! Uploaded policy: keycloak

vault policy read keycloak
# Mount the OIDC auth method
path "sys/auth/oidc" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the OIDC auth method
path "auth/oidc/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# List available secrets engines to retrieve accessor ID
path "sys/mounts" {
  capabilities = [ "read" ]

Hi Jonathan, starting with easiest to answer:

1. I’m using macOS/VS Code
2. I didn’t see any unexpected policies. I’m starting from scratch so unexpected stuff should stand out.
3. existing policies: Yes, I’m effectively re-running a script that does the same thing, over and over. So, on the first run, no policy at all; on subsequent runs, the expectation would be to overwrite the same policy (of the same name) with the updates included; basic idempotency.
4. Other HCL files in the policy/ directory: yes. I could double-check; I’ve made that mistake a few times.

Update: I’ve triple-checked and I think I’m going to run with #4

Thank you for the jr debugging reminder; should have asked myself that question.

Keep us posted on how it turns out! And happy to help - most of us work better as a team - I know I do!

I value collaboration above all, even when it’s embarrassing

Thanks again!