Introduction

Vault policies use glob-style wildcards to grant access to paths. However, when Vault namespaces are enabled (Vault Enterprise), the namespace prefix is part of the full path, and wildcards in policies do not automatically match across namespace boundaries. This causes policies that work in the root namespace to fail in child namespaces.

Symptoms

  • Application receives 403 Permission Denied when accessing secrets
  • Vault audit logs show permission denied for paths that should match the policy
  • Policy contains path "secret/data/*" but access to ns1/secret/data/* is denied
  • Same policy works for root namespace but fails for child namespaces
  • Error message: permission denied: path "ns1/secret/data/app" not authorized by policy

Common Causes

  • Policy wildcard secret/data/* does not match namespace-prefixed paths like ns1/secret/data/*
  • Namespace not specified in the API request, defaulting to root namespace
  • Policy attached to a token that was issued in the wrong namespace
  • Wildcard + (single segment) vs * (multiple segments) not used correctly
  • Namespace hierarchy deeper than the policy's wildcard pattern accounts for

Step-by-Step Fix

  1. 1.Check the token's namespace and policy: Verify the token's effective namespace.
  2. 2.```bash
  3. 3.export VAULT_NAMESPACE="ns1"
  4. 4.vault token lookup
  5. 5.# Check policies attached to the token
  6. 6.`
  7. 7.Review the policy path patterns: Identify the mismatch.
  8. 8.```bash
  9. 9.vault policy read my-app-policy
  10. 10.# Check if paths include namespace prefixes
  11. 11.`
  12. 12.Update the policy to include namespace-aware paths: Add namespace-specific path patterns.
  13. 13.```hcl
  14. 14.# vault-policy.hcl
  15. 15.path "secret/data/my-app/*" {
  16. 16.capabilities = ["read", "list"]
  17. 17.}
  18. 18.path "+/secret/data/my-app/*" {
  19. 19.capabilities = ["read", "list"]
  20. 20.}
  21. 21.`
  22. 22.Apply the updated policy: Register the new policy version.
  23. 23.```bash
  24. 24.vault policy write my-app-policy vault-policy.hcl
  25. 25.`
  26. 26.Test access with the correct namespace: Verify the fix works.
  27. 27.```bash
  28. 28.export VAULT_NAMESPACE="ns1"
  29. 29.vault kv get secret/data/my-app/config
  30. 30.`

Prevention

  • Always test policies against namespace-prefixed paths, not just root namespace paths
  • Use the + glob (single segment) for namespace wildcards in Enterprise environments
  • Document namespace requirements in the policy creation guidelines
  • Include namespace in token creation: vault token create -namespace=ns1
  • Use Vault's policy simulation tools to test path matching before deployment
  • Monitor policy denied events and correlate with namespace context