A DevOps engineer is troubleshooting an issue where a token cannot read a secret from the KV v2 engine at path 'secret/team-alpha/db-creds'. The token's policy includes the following: path "secret/team-alpha/*" { capabilities = ["read"] }. Which TWO reasons could explain the failure?
Trap 1: The user needs to use the token's accessor to read the secret
The accessor is used for management, not for access.
Trap 2: The secret engine is not tuned to allow reads
Engine tuning does not alter policy permissions.
Trap 3: The token is not a child of the root token
Parentage does not affect path-level permissions.
- A
The user needs to use the token's accessor to read the secret
Why wrong: The accessor is used for management, not for access.
- B
The path in the policy needs to be 'secret/data/team-alpha/*'
KV v2 requires the 'data' prefix in policy paths for secret access.
- C
The token may have an additional restrictive policy from a parent token
Inherited policies from parent tokens or identity can impose additional restrictions.
- D
The secret engine is not tuned to allow reads
Why wrong: Engine tuning does not alter policy permissions.
- E
The token is not a child of the root token
Why wrong: Parentage does not affect path-level permissions.