Simple Vault policy not working on KV secret backend

[thorn]

Hi, 

I have created a token associated to a policy named "provisioner-policy" allowing a number of actions, including reading and writing to the path services/ on which is mounted a KV secrets backend. The interesting part of the policy reads:

path "services/*" {

capabilities = ["create", "read", "update", "delete", "list"]

}

I can verify that the token is correctly bound to that policy by authenticating with it and running:

$ vault token lookup

Key Value

--- -----

[...]

policies [default provisioner-policy]

renewable true

ttl 2756927    

However, when I attempt to list or write to secrets/test, I get a permission denied error:

$ vault kv put services/test value=foo

Error making API request.

URL: GET https://xxx.local:8200/v1/sys/internal/ui/mounts/services/test

Code: 403. Errors:

* permission denied

I am running Vault client v0.10.3, and the server is running v0.10.0. Any idea what could be wrong? I tried to use the v0.10.0 and v0.10.1 client just in case, but to no avail.

The complete commands output can be found attached.

Thank you!

[Brian Kassouf]

For the kv subcommand versions >=0.10.1 of the CLI will not work with a 0.10.0 and below server. See https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0101097-april-25th-2018 for the Changelog notice about this. 

Try using a 0.10.0 CLI or upgrade your server to 0.10.3

Best,

Brian 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e73a8ccb-1451-4bb6-b6d6-eadd445c86ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nathan Basanese]

  // , Why is it making an API call to the path sys/internal/ui/mounts/services/test instead of the path in your policy? 

Also, if you're using the CLI, you need to echo $VAULT_ADDR

Did you try the HTTP API instead of the CLI to see if there's a difference?

[Brian Kassouf]

The `vault kv` subcommand does a preflight request to sys/internal/ui/mounts/services/test to determine if the kv mount is running version 1 or 2. Then formats the appropriate request data for the version.

This functionality was introduced in 0.10.1

Best,

Brian

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4041b0d4-a2ee-4a9c-8718-a8994e6670f4%40googlegroups.com.