How to give access for specific path inside KV secret

Avatar
Ashish Garg
  • Updated

Introduction

This article demonstrates how to restrict and grant access to specific secrets within a KV engine. At times, the desire is to grant access for particular keys inside the KV secret engine. 

 

Procedure

1. Enable KV-v2 engine (example at the kvV2 path):

 vault secrets enable -path=kvV2 -version=2 kv

2. Create secrets at different paths (example env/qa, env/dev and env/prod):

vault kv put kvV2/env/qa/account name=account
vault kv put kvV2/env/dev/account name=account
vault kv put kvV2/env/prod/account name=account

3. Example from Vault UI:

Screenshot_2022-05-29_at_1.40.22_PM.png

 

4. Create a policy for each path (env/qa, env/dev and env/prod):

Policy for QA path

Allow listing and navigating through the KvV2 engine, but restrict reading only env/qa:

path "kvV2/metadata/env/qa/*" {
  capabilities = ["read","list"]
}

path "kvV2/data/env/qa/*" {
  capabilities = ["read","list"]
}

# Ability to list paths while navigating to QA
path "kvV2/+/+" {
  capabilities = ["list"]
}

Policy for Dev path

Allow listing and navigating through the KvV2 engine, but restrict reading only env/dev:

path "kvV2/metadata/env/dev/*" {
  capabilities = ["read","list"]
}

path "kvV2/data/env/dev/*" {
 capabilities = ["read","list"]
}

# Ability to list paths while navigating to DEV
path "kvV2/+/+" {
 capabilities = ["list"]
}

Policy for Prod path

Allow listing and navigating through the KvV2 engine, but restrict reading only env/prod:

path "kvV2/metadata/env/prod/*" {
  capabilities = ["read","list"]
}

path "kvV2/data/env/prod/*" {
  capabilities = ["read","list"]
}

# Ability to list paths while navigating to Prod
path "kvV2/+/+" {
  capabilities = ["list"]
}

5. Assign policy to existing auth method or create token assigning the newly created policies:

vault token create -policy=qa
vault token create -policy=dev
vault token create -policy=prod

6. Verify access with the previously created tokens. Log into UI and navigate through the kvV2 engine. Or login via the CLI and attempt the list and get commands. Access is limited to the path assigned from the policy. Example below for QA.

$ vault kv list kvV2/env/qa
Keys
----
account

$ vault kv get kvV2/env/qa/account
====== Secret Path ======
kvV2/data/env/qa/account

======= Metadata =======
Key                 Value
---                 -----
created_time        2024-07-30T13:54:17.266700332Z
custom_metadata     <nil>
deletion_time       n/a
destroyed           false
version             1

==== Data ====
Key     Value
---     -----
name    account

 

NOTE: For the KV version 1 engine, there is no need to use the metadata or data paths in the policy. Example for QA: 

path "kvV1/env/qa/*" { 
  capabilities = ["read","list"] 
} 
# Ability to list paths while navigating to QA
path "kvV1/+/+" { 
  capabilities = ["list"] 
}

 

 

 

Articles in this section

See more

Related articles