Hashicorp Vault cli return 403 when trying to use kv

Question

I set up vault backed by a consul cluster. I secured it with https and am trying to use the cli on a separate machine to get and set secrets in the kv engine. I am using version 1.0.2 of both the CLI and Vault server.

I have logged in with the root token so I should have access to everything. I have also set my VAULT_ADDR appropriately.

Here is my request:

vault kv put secret/my-secret my-value=yea

Here is the response:

Error making API request.

URL: GET https://{my-vault-address}/v1/sys/internal/ui/mounts/secret/my-secret
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "secret/my-secret/"

I don't understand what is happening here. I am able to set and read secrets in the kv engine no problem from the vault ui. What am I missing?

Answer 1

For newer v2 version:

vault kv put -mount=kv my-secret PASSWORD=password

Answer 2

You need to update secret/my-secret to whichever path you mounted when you enable the kv secret engine.

For example, if you enable the secret engine like this:

vault secrets enable -version=2 kv-v2

You should mount to kv-v2 instead of secret

vault kv put kv-v2/my-secret my-value=yea

Answer 3

You can enable secret engine for specific path

vault secrets enable -path=kv kv

https://www.vaultproject.io/intro/getting-started/secrets-engines

Answer 4

This was a result of me not reading documentation.

The request was failing because there was no secret engine mounted at that path.

You can check your secret engine paths by running vault secrets list -detailed

This showed that my kv secret engine was mapped to path kv not secret as I was trying.

Therefore running vault kv put kv/my-secret my-value=yea worked as expected.