Vault Policy Denies the App
The checkout app's Vault token can authenticate but can't read its own secret. Fix the policy.
Puzzle Overview
An application's AppRole login succeeds, but every attempt to read its database credentials at `kv/data/apps/checkout/db` comes back with a 403. The policy attached to the role was "tightened" during a recent security review and is now too restrictive — but simply granting `*` on everything is not acceptable.
Your job: get the app working without opening the blast radius. Only the exact secret path the app needs should be readable; everything else the token can see today must stay denied.
Technologies Covered
Choose your plan
Simple, Transparent Pricing
Unlock full access to TeKanAid courses, labs, and bootcamps
Just exploring? Start free below. Want the full experience? Try Premium free for 7 days (card required, $0 today).
Pro
All courses, with lab scripts to run on your own machine
Renews automatically. Cancel anytime.
Final price verified at checkout.
- Full access to all courses
- Lab scripts to download and run on your own machine (hosted labs not included)
- Progress tracking
- Certificate of completion
- Community access
- Bootcamp participation
- New content access
Premium
Full access, including unlimited hosted labs
Renews automatically. Cancel anytime.
Final price verified at checkout.
- Everything in Pro
- Unlimited hands-on labs, fully hosted on TeKanAid Academy (nothing to set up)
- Lab AI Assistant
- Accelerator bootcamps with live office hours
- Priority support
Just exploring? Start free, no account needed
Three free ways to start. All bridge into the paid Premium catalog when you're ready.
Not ready to commit? The crash course is email-only. No academy account required.