Introduction
The Vault KV V2 Secrets Engine has a hidden path and you might get a `permission denied`error if you are writing to the path you believe is correct.
Overview
The KV secrets engine version 2 store (KV-V2) is using a prefixed API, which is different from the version 1 API.
The path is prefixed with the `data/` path and may become confusing when defining a policy or checking a token's capability, leading to the impression that the behaviour is not as expected.
Use-case
Define the KV Secrets engine V2 at the path `test-kv`.
Give the token admin access to the path `test-kv` and only read the secrets from the path `test-kv/data/daniela`.
Enable the KV V2 secrets engine at the path `test-kv`:
$ vault secrets enable -path=test-kv/ kv-v2
The policy should look like this:
The "admin" policy is: path "test-kv/*" { capabilities = ["create", "read", "update", "delete", "list"] }
The "readonly" Policy is: path "test-kv/data/daniela" { capabilities = ["read", "list"] }
In subsequent calls, it gets confusing, since that `/data` path is not used directly when interacting with the KV CLI but is used when doing a token lookup:
$ vault token capabilities test-kv/daniela
The above will provide the following output, based on the more permissive `admin` policy:
create, delete, list, read, update
However, when you attempt to write the secret to `test-kv/daniela`, you are actually writing to the path test-kv/data/daniela
we can show this using the output-curl-string
flag:
vault kv put -output-curl-string test-kv/daniela test=bla1 curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token:
$(vault print token)" -d '{"data":{"test":"bla1"},
"options":{}}' http://127.0.0.1:8200/v1/test-kv/data/daniela
Similarly, when you later attempt to put a secret at vault kv put test-kv/data/daniela test=bla1
you are actually writing to the path test-kv/data/data/daniela
which is not restricted by the less permissive `readonly` policy.
vault kv put -output-curl-string test-kv/daniela test=bla1 curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token:
$(vault print token)" -d '{"data":{"test":"bla1"},
"options":{}}' http://127.0.0.1:8200/v1/test-kv/data/data/daniela