From d60360ddbe7fcfbbd98e11806bacb1a51bd3b14b Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Tue, 22 May 2018 14:07:07 -0400
Subject: [PATCH] Add instructions for both kvv1 and kvv2 to getting started
 policies info

---
 .../intro/getting-started/policies.html.md    | 55 +++++++++++++++++--
 1 file changed, 49 insertions(+), 6 deletions(-)

diff --git a/website/source/intro/getting-started/policies.html.md b/website/source/intro/getting-started/policies.html.md
index 9dbc777a8..f7b6711b3 100644
--- a/website/source/intro/getting-started/policies.html.md
+++ b/website/source/intro/getting-started/policies.html.md
@@ -27,13 +27,23 @@ Policies are authored in [HCL][hcl], but it is JSON compatible. Here is an
 example policy:
 
 ```hcl
+# Normal servers have version 1 of KV mounted by default, so will need these
+# paths:
 path "secret/*" {
   capabilities = ["create"]
 }
-
 path "secret/foo" {
   capabilities = ["read"]
 }
+
+# Dev servers have version 2 of KV mounted by default, so will need these
+# paths:
+path "secret/data/*" {
+  capabilities = ["create"]
+}
+path "secret/data/foo" {
+  capabilities = ["read"]
+}
 ```
 
 With this policy, a user could write any secret to `secret/`, except to
@@ -69,13 +79,23 @@ Here is an example you can copy-paste in the terminal:
 
 ```text
 $ vault policy write my-policy -<<EOF
+# Normal servers have version 1 of KV mounted by default, so will need these
+# paths:
 path "secret/*" {
   capabilities = ["create"]
 }
-
 path "secret/foo" {
   capabilities = ["read"]
 }
+
+# Dev servers have version 2 of KV mounted by default, so will need these
+# paths:
+path "secret/data/*" {
+  capabilities = ["create"]
+}
+path "secret/data/foo" {
+  capabilities = ["read"]
+}
 EOF
 ```
 
@@ -92,11 +112,12 @@ To view the contents of a policy, run:
 
 ```text
 $ vault policy read my-policy
+# Normal servers have version 1 of KV mounted by default, so will need these
+# paths:
 path "secret/*" {
   capabilities = ["create"]
 }
-
-# ...
+...
 ```
 
 ## Testing the Policy
@@ -130,11 +151,33 @@ token_policies     [default my-policy]
 Verify that you can write any data to `secret/`, but only read from
 `secret/foo`:
 
+### Dev servers
+
 ```text
-$ vault write secret/bar value=yes
+$ vault kv put secret/bar robot=beepboop
+Key              Value
+---              -----
+created_time     2018-05-22T18:05:42.537496856Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+$ vault kv put secret/foo robot=beepboop
+Error writing data to secret/data/foo: Error making API request.
+
+URL: PUT http://127.0.0.1:8200/v1/secret/data/foo
+Code: 403. Errors:
+
+* permission denied
+```
+
+### Non-dev servers
+
+```text
+$ vault kv put secret/bar robot=beepboop
 Success! Data written to: secret/bar
 
-$ vault write secret/foo value=yes
+$ vault kv put secret/foo robot=beepboop
 Error writing data to secret/foo: Error making API request.
 
 URL: PUT http://127.0.0.1:8200/v1/secret/foo