Consul KV Store returns 403 on the parent folder of my key

Question

I have a key in my KV store, let's say /global/test/my-key and I use a token that has the following policy :

key "/global/test/my-key" { 
    policy = "read"
}

Why, using the UI, I can access the URL http://localhost:8500/v1/kv/global/test/my-key/edit but I have a 403 on the following URLs http://localhost:8500/v1/kv/global/test and http://localhost:8500/v1/kv/global ?

Is there a way for me to access my key from the UI starting at the URL http://localhost:8500/v1/kv ?

NOTE: I have tried the "list" policy, but it gives read access to the other keys, which is not what I want.

EDIT: I just realized I had forgot to mention another condition that I am trying to meet. I have another key called for instance /global/secret/my-other-key and I don't want that key to be viewed from the UI nor the folder /global/secret/.

Answer 1

If you wish to have access to all of the mentioned paths, you should use this policy instead:

key_prefix "global" {
  policy = "read"
}

This policy will give you access to global and any "sub-paths" of it.

Answer 2

Consul does not currently support performing recursive reads on paths where your token only has access to a subset of the keys under that parent path.

There's an open GitHub issue requesting this functionality be added https://github.com/hashicorp/consul/issues/4513. I recommend upvoting that issue to indicate your interest, and subscribe to it for updates so that you can track its progress.

If your particular use case is not accurately reflected in the initial description, feel free to leave a comment with additional information.