fail when kv2 secret path starts with "data"

[regentov]

Consul Template version

consul-template v0.22.0 (005b42e)
vault v1.3.2

Configuration

# Copy-paste your Consul Template template here
{{- with secret "test/dataface/test" }}
name={{ .Data.data.name }}
{{ end }}

Expected behavior

As stated in docs, in vault 0.10.1+ secret path does not have to be prefixed with "data" if it is kv2.

Actual behavior

When accessing "test/dataface/test" 403 is thrown:

2020/02/17 05:33:16.983733 [WARN] (view) vault.read(test/dataface/test): vault.read(test/dataface/test): Error making API request.

URL: GET https://vault-test.tld/v1/test/dataface/test
Code: 403. Errors:

* permission denied (retry attempt 10 after "1m0s")

So, secret path have to be prefixed with "data", i.e. only "test/data/dataface/test" works if secret path begins with "data" letters.

When secret path does not begin with "data" letters, it works as expected, i.e both "test/datoface/test" and "test/data/datoface/test" are good.

Steps to reproduce

1. Create kv2 vault engine named "test"
2. Create secrets "test/dataface/test" and "test/datoface/test" with some "name" in it. Give access to both for consul token.
3. Access them with "with secret". First does not work, second does.

[findkim]

Hi @regentov, thank you for filing an issue for this bug.

I was able to reproduce the error, and found a minor issue in how the data prefix was being checked for kv2 secret paths. #1341 should fix the underlying problem. Let me know if you have any followup concerns on this bug!

Thanks,
Kim