Vault Policy Denies the App
The checkout app's Vault token can authenticate but can't read its own secret. Fix the policy.
Puzzle Overview
An application's AppRole login succeeds, but every attempt to read its database credentials at `kv/data/apps/checkout/db` comes back with a 403. The policy attached to the role was "tightened" during a recent security review and is now too restrictive — but simply granting `*` on everything is not acceptable.
Your job: get the app working without opening the blast radius. Only the exact secret path the app needs should be readable; everything else the token can see today must stay denied.
Technologies Covered
Choose your plan
Simple, Transparent Pricing
Unlock full access to TeKanAid courses, labs, and bootcamps
Pro
Course content without labs
Renews automatically. Cancel anytime.
Final price verified at checkout.
- Full access to all courses
- Progress tracking
- Certificate of completion
- Community access
- Bootcamp participation
- New content access
Premium
Full access with hands-on labs
Renews automatically. Cancel anytime.
Final price verified at checkout.
- Everything in Pro
- Unlimited hands-on labs
- Lab AI Assistant
- Accelerator bootcamps with live office hours
- Priority support
Try it free, no credit card
Three free ways to start. All bridge into the paid Premium catalog when you're ready.
Not ready to commit? The crash course is email-only. No academy account required.