Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ui not showing KV secret metadata tab #15347

Closed
JanMa opened this issue May 10, 2022 · 1 comment
Closed

Ui not showing KV secret metadata tab #15347

JanMa opened this issue May 10, 2022 · 1 comment
Labels
bug Used to indicate a potential bug ui

Comments

@JanMa
Copy link

JanMa commented May 10, 2022

Describe the bug
When using the UI to access KV secrets, it does not show the metadata of a given secret although the tokens policies grant access to it. Only if the policy grants metadata read access to all secrets, the tab is shown.

To Reproduce
Steps to reproduce the behavior:

  1. Create a token with the following policy:
# List top-level key/value secrets metadata.
path "secret/metadata/" {
  capabilities = ["list"]
}

# List, create, update, and delete key/value secrets
path "secret/data/team_acme/*" {
  capabilities = ["create", "read", "update", "delete"]
}

path "secret/metadata/team_acme/*" {
  capabilities = ["read", "delete", "list"]
}

path "secret/delete/team_acme/*" {
  capabilities = ["update"]
}

path "secret/undelete/team_acme/*" {
  capabilities = ["update"]
}

path "secret/destroy/team_acme/*" {
  capabilities = ["update"]
}
  1. Create some secret in the team_acme folder
  2. Log in with the token and access secret in the UI
  3. The metadata tab in the secret details is not shown.

ui-meta-hidden

Expected behavior
The UI should show the metadata tab because the policy allows accessing it.

Workaround
If the policy grants list and read access to all secrets, the metadata tab is shown in the secret details.

# List top-level key/value secrets metadata.
path "secret/metadata/*" {
  capabilities = ["list", "read"]
}

# List, create, update, and delete key/value secrets
path "secret/data/team_acme/*" {
  capabilities = ["create", "read", "update", "delete"]
}

path "secret/metadata/team_acme/*" {
  capabilities = ["read", "delete", "list"]
}

path "secret/delete/team_acme/*" {
  capabilities = ["update"]
}

path "secret/undelete/team_acme/*" {
  capabilities = ["update"]
}

path "secret/destroy/team_acme/*" {
  capabilities = ["update"]
}

ui-meta-shown

Environment:

  • Vault Server Version (retrieve with vault status): 1.10.2
  • Vault CLI Version (retrieve with vault version): 1.10.2
  • Server Operating System/Architecture: Vault HELM chart
@hsimon-hashicorp hsimon-hashicorp added ui bug Used to indicate a potential bug labels May 10, 2022
@hellobontempo
Copy link
Contributor

Thanks for reporting @JanMa! I've filed a ticket to track a fix. In the meantime, you should be able to navigate directly to http://localhost:8200/ui/vault/secrets/secret/metadata/team_acme/empty as a more secure workaround - so you don't have to make any policy changes.

@hashishaw hashishaw mentioned this issue Jun 6, 2022
Merged
This was referenced Jun 7, 2022
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Monkeychip @JanMa @hellobontempo @hsimon-hashicorp