hashicorp · fairclothjm · Mar 19, 2024 · Mar 18, 2024 · Mar 18, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 BUGS:
 * fix `vault_azure_access_credentials` to default to Azure Public Cloud ([#2190](https://github.com/hashicorp/terraform-provider-vault/pull/2190))
+* do not require sudo permissions for auth read operations ([#2198](https://github.com/hashicorp/terraform-provider-vault/pull/2198))
 
 ## 4.0.0 (Mar 13, 2024)
 

diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-jwt v0.18.0
 	github.com/hashicorp/vault-plugin-auth-kerberos v0.10.1
 	github.com/hashicorp/vault-plugin-auth-oci v0.14.2
-	github.com/hashicorp/vault/api v1.12.1-0.20240306142153-823b7dab7a2a
+	github.com/hashicorp/vault/api v1.12.2
 	github.com/hashicorp/vault/sdk v0.10.2
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/mitchellh/go-homedir v1.1.0

diff --git a/go.sum b/go.sum
@@ -1618,8 +1618,8 @@ github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidg
 github.com/hashicorp/vault/api v1.9.1/go.mod h1:78kktNcQYbBGSrOjQfHjXN32OhhxXnbYl3zxpd2uPUs=
 github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
 github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
-github.com/hashicorp/vault/api v1.12.1-0.20240306142153-823b7dab7a2a h1:ugYa6uR+oxdcSvWs8wC2nPYIU2pm2lFmOhs19zquGo8=
-github.com/hashicorp/vault/api v1.12.1-0.20240306142153-823b7dab7a2a/go.mod h1:1pqP/sErScodde+ybJCyP+ONC4jzEg7Dmawg/QLWo1k=
+github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE=
+github.com/hashicorp/vault/api v1.12.2/go.mod h1:LSGf1NGT1BnvFFnKVtnvcaLBM2Lz+gJdpL6HUYed8KE=
 github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
 github.com/hashicorp/vault/sdk v0.2.1/go.mod h1:WfUiO1vYzfBkz1TmoE4ZGU7HD0T0Cl/rZwaxjBkgN4U=
 github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=

diff --git a/website/docs/guides/policies.html.markdown b/website/docs/guides/policies.html.markdown
@@ -36,7 +36,7 @@ path "auth/token/create"
 # Permit managing the lifecycle of the gcp secrets engine mount
 path "sys/mounts/gcp"
 {
-  capabilities = ["read", "create", "update", "delete", "sudo"]
+  capabilities = ["read", "create", "update", "delete"]
 }
 
 # Permit reading tune metadata of the gcp secrets engine

diff --git a/website/docs/guides/version_4_upgrade.html.markdown b/website/docs/guides/version_4_upgrade.html.markdown
@@ -87,7 +87,7 @@ This means that only Vault server version `1.11.x` and greater will be supported
 
 With this change, Vault will require read policies to be set at the path level.
 For example, instead of permissions at `sys/auth` you must set permissions at
-the `sys/auth/:path` level. Please refer to the details in the
+the `sys/mounts/auth/:path` level. Please refer to the details in the
 [Provider Policy Changes](#provider-policy-changes) section.
 
 The changes in this case are blocking but not destructive. That is, deployments
@@ -230,7 +230,7 @@ individual resources might require.
     <td>GET</td>
     <td>sys/auth</td>
     <td>GET</td>
-    <td>sys/auth/:path</td>
+    <td>sys/mounts/auth/:path</td>
   </tr>
 </tbody>
 </table>
@@ -247,11 +247,11 @@ path "sys/auth"
 ```
 
 In version 4.X the `vault_gcp_auth_backend` resource retrieves mount metadata
-with the GET `sys/auth/:path` HTTP operation which corresponds to the following
+with the GET `sys/mounts/auth/:path` HTTP operation which corresponds to the following
 policy in Vault:
 
 ```hcl
-path "sys/auth/gcp"
+path "sys/mounts/auth/gcp"
 {
     capabilities = ["read"]
 }