Add 1.21.x GUI kvv2 known issues (#1202)

hellobontempo · web-flow · commit 3fcb1143227e · 2025-10-30T12:24:36.000-07:00
Adds known issues for 1.21 GUI kvv2 metadata list failures
diff --git a/content/vault/global/partials/important-changes/summary-tables/1_21.mdx b/content/vault/global/partials/important-changes/summary-tables/1_21.mdx
@@ -19,3 +19,5 @@ Found  | Fixed  | Workaround | Edition    | Issue
 ------ |--------| ---------- | ---------- | -----
 1.21.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.21.x/updates/important-changes#missed-events)
 1.21.0 | No     | **Yes**    | Enterprise | [Azure static roles fail to parse metadata as a map](/vault/docs/v1.21.x/updates/important-changes#azure-static-roles)
+1.21.0 | No     | **Yes**    | All        | [GUI KV v2 metadata list request fails for some policies](/vault/docs/v1.21.x/updates/important-changes#gui-kvv2-metadata-policy)
+1.21.0 | No     | **Yes**    | Enterprise | [GUI KV v2 listing secrets fails in namespaces](/vault/docs/v1.21.x/updates/important-changes#gui-kvv2-list-namespaces)
diff --git a/content/vault/v1.21.x/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x/content/docs/updates/important-changes.mdx
@@ -82,4 +82,60 @@ filters you have two options:
 1. Spread them out among the nodes of the Vault cluster.
 1. Only subscribe to events on the active node of the cluster.
 
-@include '../../../global/partials/important-changes/known-issue/azure-static-roles.mdx'
+@include '../../../global/partials/important-changes/known-issue/azure-static-roles.mdx'
+
+### GUI KV v2 metadata list request fails for some policies ((#gui-kvv2-metadata-policy))
+
+| Change      | Affected version | Fixed version
+| ----------- | ---------------- | -------------
+| Known issue | 1.21.0           | None
+
+#### Issue
+
+Users cannot list KV v2 secrets in the GUI when the policy granting `list`
+access to metadata does not include a trailing slash. For example:
+
+```
+path "secret/metadata/:path" {   
+  capabilities = ["list"] 
+}
+```
+
+#### Workaround
+
+Option 1: Use the API explorer to list KV v2 secrets instead of the KV v2 GUI page:
+
+1. Select **Tools** from the Vault GUI sidebar.
+1. Click **API Explorer**.
+1. Enter the KV v2 plugin mount path in the "Filter by tag" search bar.
+1. Expand the `GET /:mount/metadata/{path}/` endpoint and click **Try it out**.
+1. Input the secret `path` click **Execute** to perform the HTTP request.
+
+Option 2: Add a trailing slash to the policy path:
+
+```
+path "secret/metadata/:path/" {   
+  capabilities = ["list"] 
+}
+```
+
+
+
+### GUI KV v2 listing secrets fails in namespaces ((#gui-kvv2-list-namespaces)) <EnterpriseAlert inline="true" />
+
+| Change      | Affected version | Fixed version
+| ----------- | ---------------- | -------------
+| Known issue | 1.21.0+ent       | None
+
+#### Issue
+
+The GUI displays "No secrets yet" message for KV v2 engines with existing secrets when
+users navigate to the plugins secret list in a namespace.
+
+#### Workaround
+
+Use the CLI emulator to list KV v2 secrets:
+
+1. Navigate to the desired namespace.
+1. Toggle open the web REPL.
+1. Input the command `list <mount_path_to_kv_plugin_2>/metadata` and press **Enter**.
