Vault: preflight capability check returned 403, please ensure client's policies grant access to path "secret/hello/"
Describe the bug
Using the docker version and following the steps in the guide, I did a vault login and it worked, yet when I run the command vault kv put secret/hello foo=world exactly like in the tutorial, it resulted in the following error:
vault kv put secret/hello foo=world
Error making API request.
URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/hello/"
To Reproduce
Steps to reproduce the behavior:
docker run -d -v /opt/vault:/vault --cap-add=IPC_LOCK vault server
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init
chown vault /vault -R #was having issues with mkdir default dirs because it was owned by root
vault unseal ...
vault login ...
vault kv put secret/hello foo=world
Expected behavior
secret is properly stored
Environment:
- Vault Server Version (retrieve with
vault status): 1.1.1 - Vault CLI Version (retrieve with
vault version): 1.1.1 - Server Operating System/Architecture: Docker
Vault server configuration file(s):
{
"listener": [{
"tcp": {
"address": "127.0.0.1:8200",
"tls_disable" : 1
}
}],
"storage" :{
"file" : {
"path" : "/vault/data"
}
}
}
Additional context
passwordleak
All 3 comments
i am facing the samee isue @passwordleak . Were you able to resolve it? I see the issue is closed?
girish-netskope
on 30 Apr 2019
i am facing the samee isue @passwordleak . Were you able to resolve it? I see the issue is closed?
https://stackoverflow.com/questions/54312213/hashicorp-vault-cli-return-403-when-trying-to-use-kv
xpayn
on 3 May 2019
You just need to enable the KV secrets engine. My example used consul, but you can do it with files backend as well.
$ cat vault-config.hcl
api_addr = "http://127.0.0.1:8200"
log_level = "trace"
storage "consul" {
address = "127.0.0.1:8500"
path = "vault"
service = "vault"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
$ vault server -config vault-config.hcl
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: trace
Mlock: supported: false, enabled: false
Storage: consul (HA available)
Version: Vault v1.1.2
Version Sha: 0082501623c0b704b87b1fbc84c2d725994bac54
==> Vault server started! Log data will stream in below:
2019-05-10T19:20:45.171-0700 [DEBUG] storage.consul: config path set: path=vault
$ vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/
$ vault kv put secret/foo bar=baz
Success! Data written to: secret/foo
$ vault kv get -format=json secret/foo
{
"request_id": "4c1057ac-a271-b886-c737-6dfd9fffb608",
"lease_id": "",
"lease_duration": 2764800,
"renewable": false,
"data": {
"bar": "baz"
},
"warnings": null
}
You can verify that it exists in Consul (raw data)
$ consul kv get -recurse vault/logical
vault/logical/251203a3-886a-299a-e57e-400c555997e5/foo:g?-w....<raw-binary-data-skipped>
mountainowl
on 11 May 2019
Related issues
gtmtech
路
3Comments
adamroddick
路
3Comments
jasonmcintosh
路
3Comments
pbolle
路
3Comments
trodemaster
路
3Comments
Most helpful comment
You just need to enable the KV secrets engine. My example used consul, but you can do it with files backend as well.
$ cat vault-config.hcl
$ vault server -config vault-config.hcl
$ vault secrets enable -path=secret/ kv
$ vault kv put secret/foo bar=baz
$ vault kv get -format=json secret/foo
You can verify that it exists in Consul (raw data)
$ consul kv get -recurse vault/logical