Forbidden: 1 error occurred: * permission denied

[utkonos]

I am trying to do make a basic script to get one secret from a kv secrets engine. I must be doing something totally wrong. I have created a path called "apikey" of kv v2. I made a policy like so:

path "apikey/*" {
  capabilities = ["read", "list"]
}

I created a token with this policy and put a secret called "somesite" and a k/v pair under that: key = abc. When I get this after login with the token on CLI everything works as expected. When I use the following code snippet, all I get is Forbidden and permission denied. What might I be doing wrong?

import hvac
client = hvac.Client()
client.is_authenticated()
secret_version_response = client.secrets.kv.v2.read_secret_version(path='apikey/somesite/key')

The return value from client.is_authenticated() is True. I have tried different paths apikey, apikey\somesite etc. I can see as part of the error that the path being used in the URL on the Vault API includes v1 not v2 for one even though in the code is should be using v2.

For example, for the code above, it throws this error:

Forbidden: 1 error occurred:
	* permission denied

, on get https://example.com:8200/v1/secret/data/apikey/somesite/key

[utkonos]

I'm able to get where I need to go just using requests and pathlib.

import pathlib
import requests
token_path = pathlib.Path().home().joinpath('.vault-token')
token_path.exists()
token = token_path.read_text()
headers = {'X-Vault-Token': token,
           'Content-Type': 'application/json'}
response = requests.get('https://example.com:8200/v1/apikey/data/somesite', headers=headers)
apikey = response.json().get('data').get('data').get('key')

There is a little cleanup that I can do to improve this such as provide values if fields are missing from JSON and some error handling and pull the VAULT_ADDR environment variable. But this is a good starting point. I don't think I need hvac at all. I'll close this discussion as answered.

[colin-pm]

The issue was you have a kv mount_point of "apikey" and need to specify it in your hvac calls.

For the example above you'd call read_secret_version(mount_point="apikey")

[colin-pm]

See note in top of docs:
https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html

[utkonos]

Thanks