Vault: Policy not applied correctly to enable access

Created on 1 Jan 2019 · 4Comments · Source: hashicorp/vault

Describe the bug
When applying a policy, the specific path that grants access is not respected

To Reproduce
Steps to reproduce the behavior:

Setup a policy as specified in the hcl section below
Login with user having that policy
From the UI, you get "Not authorized" if you access something at devops/zyx (but you can navigate there)

You don't have access to secret/. If you think you've reached this page in error, please contact your administrator.
Go back home .

Expected behavior
You should be able to edit anything under secret/devops

Environment:

Vault Server Version (retrieve with 1.0.1):
Vault CLI Version (retrieve with 1.0.0):
Server Operating System/Architecture: Docker image on OSX

Vault server configuration file(s):

path "secret/devops/*" {
   capabilities = ["create", "read", "update", "delete"]
}

path "secret/*" {
   capabilities = ["list"]
}

Additional context
If I give

path "secret/*" {
   capabilities = capabilities = ["create", "read", "update", "delete", "list"]
}

it all works fine. And note: this does not work either

path "secret/devops/*" {
   capabilities = capabilities = ["create", "read", "update", "delete", "list"]
}

Source

oniseijin

Most helpful comment

Ahh, thanks V2

thus, confirmed this would be the way to go:

path "secret/data/devops/*" {
   capabilities = ["create", "read", "update", "delete"]
}

path "secret/metadata/*" {
   capabilities = ["list"]
}

oniseijin on 1 Jan 2019

❤1 👍1

All 4 comments

Take a look at https://www.vaultproject.io/docs/secrets/kv/kv-v2.html#acl-rules

jefferai on 1 Jan 2019

👍2

Ahh, thanks V2

thus, confirmed this would be the way to go:

path "secret/data/devops/*" {
   capabilities = ["create", "read", "update", "delete"]
}

path "secret/metadata/*" {
   capabilities = ["list"]
}

oniseijin on 1 Jan 2019

❤1 👍1

Thank you @jefferai .
I want to highlight again that if your path is secret/projects/yak/dev, you have to add data after secret when it comes to policies : secret/data/projects/yak/dev.

abdennour on 20 Jul 2020

had the same issue with version 1.5.5 with below policy from tutorial. weird that in UI policy seems to work. any help greatly appreciated!

my-policy
path "secret/data/*" {
capabilities = ["create", "update"]
}

path "secret/data/foo" {
capabilities = ["read"]
}

Key Value
--- -----
token s.XI13TN4pelJbxdd0yNhjJTCd
token_accessor BHNjdsdXZJQNxS07uxEfAURV
token_duration 767h59m16s
token_renewable true
token_policies ["default" "my-policy"]
identity_policies []
policies ["default" "my-policy"]

>vault kv put secret/foo robot=beepboop
Key Value
--- -----
created_time 2020-11-18T00:10:50.70635Z
deletion_time n/a
destroyed false
version 1