Search code examples
hashicorp-vaultvault

Hashicorp Vault permission with no response

I have created a kv (version 2) secrets engine, mounted on /secret:

/ $  vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
secret/       kv           kv_dba4200e           n/a

I have created a policy that should give admin access to everything in dev/team-1

/ $ vault policy read dev
path "secret/data/dev/team-1/*" {
  capabilities = ["create", "update", "read","list"]
}

path "secret/metadata/dev/team-1/*" {
  capabilities = ["list","read"]
}

I have created a secret

/ $ vault kv get secret/dev/team-1
===== Secret Path =====
secret/data/dev/team-1

======= Metadata =======
Key                Value
---                -----
created_time       2023-05-13T00:09:15.416686671Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
key    teste

and also I have created a user that has been assigned the given policy:

/ $  vault token lookup
Key                 Value
---                 -----
accessor            UYB46guPahXROwvvFpRJ3in7
creation_time       1683931479
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2023-06-13T22:44:39.062580257Z
explicit_max_ttl    0s
id                  hvs.CAESIDoYx7LfFWXh9p3KJ_CqyDQSQgQvPONeXpU4jcek-bt5Gh4KHGh2cy4zTjZUbGRKeUY3MkpweW52aDVWV0RvS3A
issue_time          2023-05-12T22:44:39.062596882Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default dev]
renewable           true
ttl                 766h11m17s
type                service

However when I try to access anything with this new user attached to the dev policy (list,get), I get this:

/ $ vault kv list secret/dev/team-1
No value found at secret/metadata/dev/team-1

/ $ vault kv get secret/dev/team-1/key
No value found at secret/data/dev/team-1/key

I would really appreciate if anyone could help with any guidance, I have spent a couple of days trying to figure out what I'm doing wrong

Solution

  • Your KVv2 engine secret is located at path secret/dev/team-1, but the policy grants permissions to secrets at a nested path. The permissions need to be for the desired path, and not a nested path:

    path "secret/data/dev/team-1" {
  capabilities = ["create", "update", "read","list"]
}

path "secret/metadata/dev/team-1" {
  capabilities = ["list","read"]
}

    Also note this policy would not really grant admin access as it is missing other permissions such as sudo, but the only one really necessary here would be read.