CODEWITHSUNDEEP
hashicorp-vault
Chris Snow
Chris Snow

Reputation: 24616

Permission denied on `vault kv put ...`

I'm trying to perform a simple use case of creating a user and writing a kv secret using Vault v1.1.2:

First I do some initial setup after starting the server in production mode:

vault operator unseal <unseal key>
vault operator unseal <unseal key>
vault operator unseal <unseal key>

export VAULT_ROOT_TOKEN=<token>

Next, I do some setup, including creating a policy:

vault -version

vault login $VAULT_ROOT_TOKEN

vault auth enable userpass

vault secrets enable -version=2 -path=secret kv

vault policy write my-policy -<<EOF
path "secret/*" {
  capabilities = ["create", "update"]
}
path "secret/foo" {
  capabilities = ["read"]
}

path "secret/data/*" {
  capabilities = ["create", "update"]
}
path "secret/data/foo" {
  capabilities = ["read"]
}
EOF

vault token create -policy=my-policy

I then create a user:

vault write auth/userpass/users/chris \
    password=password \
    policies=my-policy,default

vault login -method=userpass username=chris password=password

Which returns:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  ...
token_accessor         ...
token_duration         10h
token_renewable        true
token_policies         ["default" "my-policy"]
identity_policies      []
policies               ["default" "my-policy"]
token_meta_username    chris

Next, I try writing a kv secret:

vault kv put secret/foo my-value=s3cr3t

However, the error I get is:

Error writing data to secret/data/foo: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/secret/data/foo
Code: 403. Errors:

* 1 error occurred:
    * permission denied

What am I missing?

Upvotes: 4

Views: 6873

Answers (1)

Chris Snow
Chris Snow

Reputation: 24616

Ok, it was my policy. I changed path "secret/data/foo" to the following and it works ok.

path "secret/data/foo" {
  capabilities = ["create", "read", "update", "delete"]
}

Upvotes: 2

Related Questions