hashicorp-vault

Vault secrets list permission denied


I can't understand how secrets list works. I have policy with path permission.

path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list","sudo"]
}

I can run enable and disable flags

$ vault secrets enable -path=Test kv
Success! Enabled the kv secrets engine at: Test/
$ vault secrets disable Test
Success! Disabled the secrets engine (if it existed) at: Test/

But I can't run list or move

vault secrets list
Error listing secrets engines: Error making API request.

URL: GET http://localhost:8200/v1/sys/mounts
Code: 403. Errors:

* permission denied

vault secrets move Test Test2
Error moving secrets engine Test/ to Test2/: Error making API request.

URL: POST http://localhost/v1/sys/remount
Code: 403. Errors:

* permission denied

Its not a file system permission issue, after change admin-token to root-token everything work fine. So anyone can explain me this behavior ?


Solution

  • Try:

    path "sys/mounts" {
    capabilities = ["read"]
    }
    

    The command are performed on sys/mounts, not sys/mounts/*