Unable to view secrets created in child namespace through Web UI but accessible from CLI (Web, HCP Vault)

Avatar
Abhineet Khanwalkar
  • Updated

Introduction 

There are multiple ways (CLI, UI, API) for the HCP Vault users to retrieve/view the secrets stored in HCP Vault cluster. There is one such scenario when users are unable to fetch the secrets residing in child namespace through Web UI but can be accessed from both Vault CLI and Web CLI.

 

Prerequisites

1. Create HCP Vault Cluster

2. Create child namespace under admin namespace.

3. Enable KV secret engine in child namespace at a given path and created some secrets.

4. Create policy in admin namespace to read secrets from the child namespace.

5. Create user to login to HCP Vault using user name and password authentication.

6. Assign the policy created in step 4 to the user created in step 5

 

 

Problem

When the user tries to fetch the secret created in child namespace at a given path through Web CLI or Vault CLI, the user is able to fetch that secret. But, on the other hand if the user tries to view that secret in Web UI, the user gets the below error:-

 

Cause

The root cause of the issue so as why the UI and CLI  behaves differently while reading the secret is that the way navigation is done through the UI is more like a journey, where as in the CLI the specific calls are made that don't have any relation to each other. 
 
So for the UI to present things that the user can do, and hide things it can't, vault uses special endpoints that tell the UI which things to show so that the experience is not overwhelming. In the case of viewing a secret, sometimes it first check if the user has the ability to view the secret (via the capabilities-self call) before an attempt to read a secret is made, so that it skips the read if the user don't have permissions. 

 

Solution

Add the below capability to the user's policy to fix the "Not Authorized" error as given in screenshot above:-

path "+/sys/capabilities-self" {
capabilities = ["update"]

Note: Here "+" sign refers to the child namespace residing under admin namespace.

References

https://developer.hashicorp.com/vault/tutorials/enterprise/namespaces#policy-with-namespaces 

https://support.hashicorp.com/hc/en-us/articles/4408962510355?input_string=design+question+-+which+namespace+to+put+users+and+policies%3F 

https://developer.hashicorp.com/vault/api-docs/system/capabilities-self 

 

 

 

 

 

 

Articles in this section

See more

Related articles