Problem
When switching from the root namespace to any other child namespace in the Vault UI, users may encounter the following warning message:
"You do not have access to this namespace."
Log into the namespace directly, or contact your administrator if you think you should have access.
This issue occurs even when the user has the appropriate permissions configured for the child namespaces.
Affected versions
Vault version 1.16.6 and onwards.
Cause
This issue is related to a known bug in Vault, which causes namespaces that begin with certain characters, such as a +, to not be handled correctly. As a result, Vault may fail to recognise or validate access permissions for those namespaces, triggering the "You do not have access to this namespace" warning message. Example policy given below:
# Allow read/list access to standard namespaces
path "ad/*" {
capabilities = ["read", "list"] }
# Allow read/list access to namespaces starting with '+'
path "+/ad/*" {
capabilities = ["read", "list"] }
While this bug is being addressed, users may continue to experience this issue in certain scenarios.
Workaround
As a temporary workaround, it is recommended to apply an explicit policy that includes the affected namespace. This policy should grant access to the relevant namespace, which can help resolve the warning message. i.e To work around this issue, add a policy line to your policy that starts with the namespace name in the policy.
# Allow read/list access to standard namespaces
path "ad/*" {
capabilities = ["read", "list"] }
# Allow read/list access to child namespace ns1
path "ns1/ad/*" {
capabilities = ["read", "list"] }
# Allow read/list access to child namespace ns2
path "ns2/ad/*" {
capabilities = ["read", "list"] }
Limitation of the workaround
If your environment has a large number of namespaces, manually adding a policy for each namespace may not be a scalable solution.