Vault subkey API

shell.sh

$ vault kv put secret/stuff fruit=apple color=red
== Secret Path ==
secret/data/stuff

======= Metadata =======
Key                Value
---                -----
created_time       2023-10-04T19:20:52.20066Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

$ vault policy write subkeys - <<EOP
path "secret/subkeys/stuff" {
  capabilities = ["read"]
}
EOP

$ vault token create -policy=subkeys
Key                  Value
---                  -----
token                hvs.CAESIF0WT8L4i-HYRL67F1fZqqiLH9Wa56qs6Yx4Qu0-HbXHGh4KHGh2cy5IeEtHSmNKTGhKbXYwUXpteUxWcWZyZmQ
token_accessor       Qk2CpxScaMWJ4tN6TyZKqroY
token_duration       768h
token_renewable      true
token_policies       ["default" "subkeys"]
identity_policies    []
policies             ["default" "subkeys"]

$ vault login hvs.CAESIF0WT8L4i-HYRL67F1fZqqiLH9Wa56qs6Yx4Qu0-HbXHGh4KHGh2cy5IeEtHSmNKTGhKbXYwUXpteUxWcWZyZmQ
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.CAESIF0WT8L4i-HYRL67F1fZqqiLH9Wa56qs6Yx4Qu0-HbXHGh4KHGh2cy5IeEtHSmNKTGhKbXYwUXpteUxWcWZyZmQ
token_accessor       Qk2CpxScaMWJ4tN6TyZKqroY
token_duration       767h59m42s
token_renewable      true
token_policies       ["default" "subkeys"]
identity_policies    []
policies             ["default" "subkeys"]

$ vault read secret/subkeys/stuff
Key         Value
---         -----
metadata    map[created_time:2023-10-04T19:20:52.20066Z custom_metadata:<nil> deletion_time: destroyed:false version:1]
subkeys     map[color:<nil> fruit:<nil>]

➜  ~ vault read secret/data/stuff
Error reading secret/data/stuff: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret/data/stuff
Code: 403. Errors:

* 1 error occurred:
	* permission denied