Vault secrets list permission denied

3sky picture 3sky · Jul 12, 2018 · Viewed 13.4k times · Source

I can't understand how secrets list works. I have policy with path permission.

path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list","sudo"]
}

I can run enable and disable flags

$ vault secrets enable -path=Test kv
Success! Enabled the kv secrets engine at: Test/
$ vault secrets disable Test
Success! Disabled the secrets engine (if it existed) at: Test/

But I can't run list or move

vault secrets list
Error listing secrets engines: Error making API request.

URL: GET http://localhost:8200/v1/sys/mounts
Code: 403. Errors:

* permission denied

vault secrets move Test Test2
Error moving secrets engine Test/ to Test2/: Error making API request.

URL: POST http://localhost/v1/sys/remount
Code: 403. Errors:

* permission denied

Its not a file system permission issue, after change admin-token to root-token everything work fine. So anyone can explain me this behavior ?

Answer

gic186 picture gic186 · Jul 13, 2018

Try:

path "sys/mounts" {
capabilities = ["read"]
}

The command are performed on sys/mounts, not sys/mounts/*