add known issue

hellobontempo · hellobontempo · commit 3ffc6abb2db4 · 2025-10-29T15:52:45.000-07:00
diff --git a/content/vault/global/partials/important-changes/summary-tables/1_21.mdx b/content/vault/global/partials/important-changes/summary-tables/1_21.mdx
@@ -19,3 +19,5 @@ Found  | Fixed  | Workaround | Edition    | Issue
 ------ |--------| ---------- | ---------- | -----
 1.21.0 | No     | **Yes**    | Enterprise | [Missed events with multiple event clients](/vault/docs/v1.21.x/updates/important-changes#missed-events)
 1.21.0 | No     | **Yes**    | Enterprise | [Azure static roles fail to parse metadata as a map](/vault/docs/v1.21.x/updates/important-changes#azure-static-roles)
+1.21.0 | No     | **Yes**    | All        | [GUI KV v2 metadata list request fails for some policies](/vault/docs/v1.21.x/updates/important-changes#gui-kvv2-metadata-policy)
+1.21.0 | No     | **Yes**    | Enterprise | [GUI KV v2 listing secrets fails in namespaces](/vault/docs/v1.21.x/updates/important-changes#gui-kvv2-list-namespaces)
diff --git a/content/vault/v1.21.x/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x/content/docs/updates/important-changes.mdx
@@ -82,4 +82,60 @@ filters you have two options:
 1. Spread them out among the nodes of the Vault cluster.
 1. Only subscribe to events on the active node of the cluster.
 
-@include '../../../global/partials/important-changes/known-issue/azure-static-roles.mdx'
+@include '../../../global/partials/important-changes/known-issue/azure-static-roles.mdx'
+
+### GUI KV v2 metadata list request fails for some policies ((#gui-kvv2-metadata-policy))
+
+| Change      | Affected version | Fixed version
+| ----------- | ---------------- | -------------
+| Known issue | 1.21.0           | None
+
+#### Issue
+
+Users cannot list KV v2 secrets in the GUI if their policy grants `list` access to metadata 
+but the policy path does not include a trailing slash.
+
+Example of a policy that previously granted users list access and now returns an error:
+
+```
+path "secret/metadata/:path" {   
+  capabilities = ["list"] 
+}
+```
+
+#### Workaround
+
+To resolve the policy issue, add a trailing slash to the policy path until the fix is released:
+
+```
+path "secret/metadata/:path/" {   
+  capabilities = ["list"] 
+}
+```
+
+You can also use the API explorer to list KV v2 secrets:
+
+1. Select **Tools** from the Vault GUI sidebar.
+1. Click **API Explorer**.
+1. Enter the KV v2 plugin mount path in the "Filter by tag" search bar.
+1. Expand the `GET /:mount/metadata/{path}/` endpoint and click **Try it out**.
+1. Input the secret `path` click **Execute** to perform the HTTP request.
+
+### GUI KV v2 listing secrets fails in namespaces ((#gui-kvv2-list-namespaces)) <EnterpriseAlert inline="true" />
+
+| Change      | Affected version | Fixed version
+| ----------- | ---------------- | -------------
+| Known issue | 1.21.0+ent       | None
+
+#### Issue
+
+The GUI displays a "No secrets yet" message for KV v2 engines with existing secrets when
+users navigate to the list secrets in a namespace.
+
+#### Workaround
+
+You can use the web REPL to list KV v2 secrets:
+
+1. Navigate to the desired namespace.
+1. Toggle open the web REPL.
+1. Input the command `list <mount_path_to_kv_plugin_2>/metadata` and press **Enter**.
