Let's say you are getting 403 permission denied when attempting to interact with the Hashicorp Vault.

~]$ vault kv list secret/
Error making API request.

URL: GET http://vault.example.com:8200/v1/sys/internal/ui/mounts/secret
Code: 403. Errors:

* permission denied

The most likely reason for this is that you have not authenticated. For example, if using the vault CLI, you will need to use the vault login command to authenticate.

~]# vault login s.gYGVHcHMiGsCZdKAJzWq1Yj1
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.gYGVHcHMiGsCZdKAJzWq1Yj1
token_accessor       Z0Q8To48Rkkgx7zka-dqsDjJ
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Or if using Python hvac and approle, you will use client.auth.approle.login to authenticate.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

The next most likely reason is that you do not have permission to the path. For example, let's say you want to list secrets at path secret/foo. In this scenario, you would need the list capability to secret/foo, like this.

path "secret/foo/*" {
  capabilities = ["list"]
}

The vault token capabilities command can be used to the the users that are permitted the path. In this example, only the root user is permitted secret/foo.

~]$ vault token capabilities secret/foo
root