Enable to read Kv v2 using Vault UI

[Corentin Fresnel]

Hi,

We are testing Vault UI to let user read KV secrets. The problem occurs with KV v2 only.

Secrets can be read in the UI when they are in v1, but not in v2.

Both are working fine using the API.

Despite several tests with many different policies, I can't find how to make it work.

To Reproduce

Secret's path:

KV v1: secret_v1/my-secret-v1/dev

Kv v2: secret_v2/my-secret-v2/dev

Policies:

secret_v1_policy.json

 {
   "path" : {
      "secret_v1/my-secret-v1/dev" : {
         "capabilities" : [ "read" ]
      },
      "secret_v1/my-secret-v1/" : {
         "capabilities" : [ "list" ]
      },
      "secret_v1/" : {
         "capabilities" : [ "read", "list" ]
      }
   }
}

secret_v2_policy.json

 {
   "path" : {
      "secret_v2/data/my-secret-v2/dev" : {
         "capabilities" : [ "read" ]
      },
      "secret_v2/data/my-secret-v2/" : {
         "capabilities" : [ "list" ]
      },
      "secret_v2/" : {
         "capabilities" : [ "read", "list" ]
      }
   }
}

Expected behavior

Expecting to be able to read secrets in KV version 2. It doesn't work with UI but it works with API.

Example with UI

Example with API:

curl  --request GET --header "X-Vault-Token: $VAULT_TOKEN" http://localhost:8200/v1/secret_v2/data/my-secret-v2/dev

Response:

{
  "request_id": "f335edbb-b560-bd28-14f5-95c27b250fe8",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "data": {
      "key": "foo",
      "valeur": "bar"
    },
    "metadata": {
      "created_time": "2018-08-09T07:24:40.354376738Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Environment:

• Vault Server Version: 0.10.4
  
• Vault CLI Version: We don't used the CLI
  
• Server Operating System/Architecture: 4.4.0-130-generic GNU/Linux (Vault run with Docker)
  

Vault server configuration file(s):

{
  "ui": true,
  "storage": {
    "consul": {
      "address": "172.17.0.1:8500",
      "path": "vault_dev"
    }
  },
  "listener": {
    "tcp": {
      "address": "0.0.0.0:8200",
      "tls_disable": 1


    }
  },
  "disable_mlock":true
}

[Jeff Mitchell]

Hi Corentin,

Paths to access data in KVv2 start with /data/; see https://www.vaultproject.io/api/secret/kv/kv-v2.html#create-update-secret

It's an unfortunate change, and one that `vault kv` papers over for you, but it was necessary for us to actually add features beyond the "dumb" passthrough of v1. V1 isn't going anywhere though, so you can feel free to keep using that too.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b82b01b3-a938-4139-8900-393f4465595a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Corentin Fresnel]

Thanks for this @jeff