Access Denied on vault secrets


This is because when you are granting access to secrets you need to use the data path after the secret backend. In your case: secret/data/k8s/bex/app1

Long version:

If you are using the older (deprecated) KV1 version then your policy looks like this:

path "secret/dev/team-1/*" {
  capabilities = ["create", "update", "read"]

If (I assume) you are using the new KV2 secret engine (default), then the reading versions are prefixed with the data/ path.

path "secret/data/dev/team-1/*" {
  capabilities = ["create", "update", "read"]

More in the Official Docs.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top