diff --git a/changelog/12626.txt b/changelog/12626.txt
new file mode 100644
index 0000000000000..7c3cc7cb2a9b1
--- /dev/null
+++ b/changelog/12626.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Add KV secret search box when no metadata list access.
+```
\ No newline at end of file
diff --git a/ui/app/components/get-credentials-card.js b/ui/app/components/get-credentials-card.js
index 9bc650aac3114..a989205bc72d8 100644
--- a/ui/app/components/get-credentials-card.js
+++ b/ui/app/components/get-credentials-card.js
@@ -5,11 +5,16 @@
  *
  * @example
  * ```js
- * <GetCredentialsCard @title="Get Credentials" @searchLabel="Role to use" @models={{array 'database/roles'}} />
+ * <GetCredentialsCard @title="Get Credentials" @searchLabel="Role to use" @models={{array 'database/roles'}} @type="role" @backend={{model.backend}}/>
  * ```
  * @param title=null {String} - The title displays the card title
  * @param searchLabel=null {String} - The text above the searchSelect component
  * @param models=null {Array} - An array of model types to fetch from the API.  Passed through to SearchSelect component
+ * @param type=null {String} - Determines where the transitionTo goes. If role to backend.credentials, if secret backend.show
+ * @param shouldUseFallback=[false] {Boolean} - If true the input is used instead of search select.
+ * @param subText=[null] {String} - Text below title
+ * @param placeHolder=[null] {String} - Only works if shouldUseFallback is true. Displays the helper text inside the input.
+ * @param backend=null {String} - Name of the backend to look up on search.
  */
 
 import Component from '@glimmer/component';
@@ -20,25 +25,36 @@ export default class GetCredentialsCard extends Component {
   @service router;
   @service store;
   @tracked role = '';
+  @tracked secret = '';
 
   @action
   async transitionToCredential() {
     const role = this.role;
+    const secret = this.secret;
     if (role) {
       this.router.transitionTo('vault.cluster.secrets.backend.credentials', role);
     }
+    if (secret) {
+      this.router.transitionTo('vault.cluster.secrets.backend.show', secret);
+    }
   }
 
   get buttonDisabled() {
-    return !this.role;
+    return !this.role && !this.secret;
   }
   @action
   handleRoleInput(value) {
-    // if it comes in from the fallback component then the value is a string otherwise it's an array
-    let role = value;
-    if (Array.isArray(value)) {
-      role = value[0];
+    if (this.args.type === 'role') {
+      // if it comes in from the fallback component then the value is a string otherwise it's an array
+      // which currently only happens if type is role.
+      if (Array.isArray(value)) {
+        this.role = value[0];
+      } else {
+        this.role = value;
+      }
+    }
+    if (this.args.type === 'secret') {
+      this.secret = value;
     }
-    this.role = role;
   }
 }
diff --git a/ui/app/components/secret-create-or-update.js b/ui/app/components/secret-create-or-update.js
index f58e9605e7851..1ecf0a8685d60 100644
--- a/ui/app/components/secret-create-or-update.js
+++ b/ui/app/components/secret-create-or-update.js
@@ -11,7 +11,7 @@
  *  @modelForData={{@modelForData}}
  *  @isV2=true
  *  @secretData={{@secretData}}
- *  @canCreateSecretMetadata=true
+ *  @canCreateSecretMetadata=false
  * />
  * ```
  * @param {string} mode - create, edit, show determines what view to display
@@ -20,7 +20,7 @@
  * @param {object} modelForData - a class that helps track secret data, defined in secret-edit
  * @param {boolean} isV2 - whether or not KV1 or KV2
  * @param {object} secretData - class that is created in secret-edit
- * @param {boolean} canCreateSecretMetadata - based on permissions to the /metadata/ endpoint. If user has secret create access.
+ * @param {boolean} canUpdateSecretMetadata - based on permissions to the /metadata/ endpoint. If user has secret update. create is not enough for metadata.
  */
 
 import Component from '@glimmer/component';
diff --git a/ui/app/components/secret-edit.js b/ui/app/components/secret-edit.js
index f49ac0e770c9a..cb375f1debada 100644
--- a/ui/app/components/secret-edit.js
+++ b/ui/app/components/secret-edit.js
@@ -109,7 +109,8 @@ export default Component.extend(FocusOnInsertMixin, WithNavToNearestAncestor, {
     'mode'
   ),
   canDeleteSecretMetadata: alias('checkMetadataCapabilities.canDelete'),
-  canCreateSecretMetadata: alias('checkMetadataCapabilities.canCreate'),
+  canUpdateSecretMetadata: alias('checkMetadataCapabilities.canUpdate'),
+  canReadSecretMetadata: alias('checkMetadataCapabilities.canRead'),
 
   requestInFlight: or('model.isLoading', 'model.isReloading', 'model.isSaving'),
 
diff --git a/ui/app/routes/vault/cluster/secrets/backend/configuration.js b/ui/app/routes/vault/cluster/secrets/backend/configuration.js
index 46a8482ca5e4c..2d7bcf32bb669 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/configuration.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/configuration.js
@@ -4,19 +4,31 @@ import Route from '@ember/routing/route';
 export default Route.extend({
   wizard: service(),
   store: service(),
-  model() {
+  async model() {
     let backend = this.modelFor('vault.cluster.secrets.backend');
     if (this.wizard.featureState === 'list') {
       this.wizard.transitionFeatureMachine(this.wizard.featureState, 'CONTINUE', backend.get('type'));
     }
     if (backend.isV2KV) {
-      // design wants specific default to show that can't be set in the model
-      backend.set('casRequired', backend.casRequired ? backend.casRequired : 'False');
-      backend.set(
-        'deleteVersionAfter',
-        backend.deleteVersionAfter !== '0s' ? backend.deleteVersionAfter : 'Never delete'
-      );
-      backend.set('maxVersions', backend.maxVersions ? backend.maxVersions : 'Not set');
+      let canRead = await this.store
+        .findRecord('capabilities', `${backend.id}/config`)
+        .then(response => response.canRead);
+      // only set these config params if they can read the config endpoint.
+      if (canRead) {
+        // design wants specific default to show that can't be set in the model
+        backend.set('casRequired', backend.casRequired ? backend.casRequired : 'False');
+        backend.set(
+          'deleteVersionAfter',
+          backend.deleteVersionAfter !== '0s' ? backend.deleteVersionAfter : 'Never delete'
+        );
+        backend.set('maxVersions', backend.maxVersions ? backend.maxVersions : 'Not set');
+      } else {
+        // remove the default values from the model if they don't have read access otherwise it will display the defaults even if they've been set (because they error on returning config data)
+        // normally would catch the config error in the secret-v2 adapter, but I need the functions to proceed, not stop. So we remove the values here.
+        backend.set('casRequired', null);
+        backend.set('deleteVersionAfter', null);
+        backend.set('maxVersions', null);
+      }
     }
     return backend;
   },
diff --git a/ui/app/routes/vault/cluster/secrets/backend/list.js b/ui/app/routes/vault/cluster/secrets/backend/list.js
index f242444966d2c..4c657142d7466 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/list.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/list.js
@@ -10,6 +10,7 @@ const SUPPORTED_BACKENDS = supportedSecretBackends();
 export default Route.extend({
   templateName: 'vault/cluster/secrets/backend/list',
   pathHelp: service('path-help'),
+  noMetadataPermissions: false,
   queryParams: {
     page: {
       refreshModel: true,
@@ -111,6 +112,9 @@ export default Route.extend({
           // if we're at the root we don't want to throw
           if (backendModel && err.httpStatus === 404 && secret === '') {
             return [];
+          } else if (backendModel.engineType === 'kv' && backendModel.isV2KV) {
+            this.set('noMetadataPermissions', true);
+            return [];
           } else {
             // else we're throwing and dealing with this in the error action
             throw err;
@@ -149,6 +153,7 @@ export default Route.extend({
     let backend = this.enginePathParam();
     let backendModel = this.store.peekRecord('secret-engine', backend);
     let has404 = this.has404;
+    let noMetadataPermissions = this.noMetadataPermissions;
     // only clear store cache if this is a new model
     if (secret !== controller.get('baseKey.id')) {
       this.store.clearAllDatasets();
@@ -157,6 +162,7 @@ export default Route.extend({
     controller.setProperties({
       model,
       has404,
+      noMetadataPermissions,
       backend,
       backendModel,
       baseKey: { id: secret },
diff --git a/ui/app/routes/vault/cluster/secrets/backend/metadata.js b/ui/app/routes/vault/cluster/secrets/backend/metadata.js
index b47b0ddc9e21e..bcfd261d97707 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/metadata.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/metadata.js
@@ -3,6 +3,7 @@ import { inject as service } from '@ember/service';
 
 export default class MetadataShow extends Route {
   @service store;
+  noReadAccess = false;
 
   beforeModel() {
     const { backend } = this.paramsFor('vault.cluster.secrets.backend');
@@ -11,14 +12,23 @@ export default class MetadataShow extends Route {
 
   model(params) {
     let { secret } = params;
-    return this.store.queryRecord('secret-v2', {
-      backend: this.backend,
-      id: secret,
-    });
+    return this.store
+      .queryRecord('secret-v2', {
+        backend: this.backend,
+        id: secret,
+      })
+      .catch(error => {
+        // there was an error likely in read metadata.
+        // still load the page and handle what you show by filtering for this property
+        if (error.httpStatus === 403) {
+          this.noReadAccess = true;
+        }
+      });
   }
 
   setupController(controller, model) {
     controller.set('backend', this.backend); // for backendCrumb
     controller.set('model', model);
+    controller.set('noReadAccess', this.noReadAccess);
   }
 }
diff --git a/ui/app/templates/components/get-credentials-card.hbs b/ui/app/templates/components/get-credentials-card.hbs
index 8e2d06d8c0530..5a539af5af3ab 100644
--- a/ui/app/templates/components/get-credentials-card.hbs
+++ b/ui/app/templates/components/get-credentials-card.hbs
@@ -1,18 +1,21 @@
-<form class="selectable-card is-rounded no-flex">
+<form class="selectable-card is-rounded no-flex data-test-get-credentials-card">
   <div class="is-flex-between is-fullwidth card-details" >
     <h3 class="title is-5">{{@title}}</h3>
   </div>
   <div class="has-top-bottom-margin">
     <p class="is-label search-label">{{@searchLabel}}</p>
   </div>
+  <p class="sub-text">{{@subText}}</p>
   <SearchSelect
     @id={{id}}
     @models={{@models}}
     @selectLimit='1'
     @backend={{@backend}}
     @fallbackComponent='input-search'
+    @shouldUseFallback={{@shouldUseFallback}}
     @onChange={{action 'handleRoleInput' }}
     @inputValue={{get model valuePath}}
+    @placeHolder={{@placeHolder}}
     data-test-search-roles
   />
   <input
diff --git a/ui/app/templates/components/input-search.hbs b/ui/app/templates/components/input-search.hbs
index c5942b5bf8cbc..07a103e47b89d 100644
--- a/ui/app/templates/components/input-search.hbs
+++ b/ui/app/templates/components/input-search.hbs
@@ -5,6 +5,7 @@
       @type="text"
       @value={{this.searchInput}}
       {{on 'keyup' this.inputChanged}}
+      @placeholder={{@placeHolder}}
     />
   </div>
 </div>
diff --git a/ui/app/templates/components/secret-create-or-update.hbs b/ui/app/templates/components/secret-create-or-update.hbs
index 7a5cae09c9734..0efbe0da30914 100644
--- a/ui/app/templates/components/secret-create-or-update.hbs
+++ b/ui/app/templates/components/secret-create-or-update.hbs
@@ -97,7 +97,8 @@
       {{/each}}
       </div>
     {{/if}}
-  {{#if (and @isV2 @canCreateSecretMetadata) }}
+  {{!-- must have UPDATE permissions to add secret metadata. Create only will not work --}}
+  {{#if (and @isV2 @canUpdateSecretMetadata)}}
     <ToggleButton 
       @class="is-block"
       @toggleAttr={{"showMetadata"}}
@@ -113,7 +114,7 @@
           @updateValidationErrorCount={{action "updateValidationErrorCount"}}
         />
       {{/if}}
-    {{/if}}
+  {{/if}}
     <div class="field is-grouped box is-fullwidth is-bottomless">
       <div class="control">
         <button
@@ -135,6 +136,7 @@
 {{/if}}
 
 {{#if (eq @mode "edit")}}
+{{!-- no metadata option because metadata is version agnostic --}}
   <form onsubmit={{action "createOrUpdateKey" "edit"}}>
     <div class="box is-sideless is-fullwidth is-marginless padding-top">
       {{#if @model.canReadSecretData}}
diff --git a/ui/app/templates/components/secret-edit.hbs b/ui/app/templates/components/secret-edit.hbs
index 0fa637ff86418..4d4d729587d72 100644
--- a/ui/app/templates/components/secret-edit.hbs
+++ b/ui/app/templates/components/secret-edit.hbs
@@ -26,7 +26,8 @@
             Secret
           </LinkTo>
         </LinkTo>
-        {{#if model.canReadMetadata}}
+        {{!-- must have read access to /metadata see tab or update to update metadata--}}
+        {{#if (or this.canReadSecretMetadata this.canUpdateSecretMetadata)}}
           <LinkTo @route="vault.cluster.secrets.backend.metadata" @model={{key.id}} @tagName="li" @activeClass="is-active" data-test-secret-metadata-tab>
             <LinkTo @route="vault.cluster.secrets.backend.metadata">
               Metadata
@@ -65,7 +66,7 @@
     @isV2={{isV2}}
     @secretData={{secretData}}
     @buttonDisabled={{buttonDisabled}}
-    @canCreateSecretMetadata={{canCreateSecretMetadata}}
+    @canUpdateSecretMetadata={{canUpdateSecretMetadata}}
   />
 {{else if (eq mode "show")}}
   <SecretFormShow
diff --git a/ui/app/templates/vault/cluster/secrets/backend/list.hbs b/ui/app/templates/vault/cluster/secrets/backend/list.hbs
index 8623d1baf47fc..f1399ea90b993 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/list.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/list.hbs
@@ -5,107 +5,122 @@
   @backendCrumb={{backendCrumb}}
   @filter={{filter}}
 />
-
-{{#with (options-for-backend backendType tab) as |options|}}
-  {{#if (or model.meta.total (not isConfigurableTab))}}
-    <Toolbar>
-      {{#if model.meta.total}}
-        <ToolbarFilters>
-          <NavigateInput
-            @enterpriseProduct="vault"
-            @filterFocusDidChange={{action "setFilterFocus"}}
-            @filterDidChange={{action "setFilter"}}
-            @filter={{this.filter}}
-            @filterMatchesKey={{filterMatchesKey}}
-            @firstPartialMatch={{firstPartialMatch}}
-            @baseKey={{get baseKey "id"}}
-            @shouldNavigateTree={{options.navigateTree}}
-            @placeholder={{options.searchPlaceholder}}
-            @mode={{if (eq tab 'certs') 'secrets-cert' 'secrets'}}
-            @data-test-nav-input={{true}}
-          />
-          {{#if filterFocused}}
-            {{#if filterMatchesKey}}
-              {{#unless filterIsFolder}}
+{{#if this.noMetadataPermissions}}
+  <div class="box is-fullwidth is-shadowless has-tall-padding">
+    <div class="selectable-card-container one-card">
+      <GetCredentialsCard
+        @shouldUseFallback={{true}}
+        @title="View secret"
+        @searchLabel="Secret path"
+        @subText="Type the path of the secret you want to read"
+        @placeHolder="secret/"
+        @backend="kv"
+        @type="secret"
+      />
+    </div>
+  </div>
+{{else}}
+  {{#with (options-for-backend backendType tab) as |options|}}
+    {{#if (or model.meta.total (not isConfigurableTab))}}
+      <Toolbar>
+        {{#if model.meta.total}}
+          <ToolbarFilters>
+            <NavigateInput
+              @enterpriseProduct="vault"
+              @filterFocusDidChange={{action "setFilterFocus"}}
+              @filterDidChange={{action "setFilter"}}
+              @filter={{this.filter}}
+              @filterMatchesKey={{filterMatchesKey}}
+              @firstPartialMatch={{firstPartialMatch}}
+              @baseKey={{get baseKey "id"}}
+              @shouldNavigateTree={{options.navigateTree}}
+              @placeholder={{options.searchPlaceholder}}
+              @mode={{if (eq tab 'certs') 'secrets-cert' 'secrets'}}
+              @data-test-nav-input={{true}}
+            />
+            {{#if filterFocused}}
+              {{#if filterMatchesKey}}
+                {{#unless filterIsFolder}}
+                  <p class="input-hint">
+                    <kbd>Enter</kbd> to view {{filter}}
+                  </p>
+                {{/unless}}
+              {{/if}}
+              {{#if firstPartialMatch}}
                 <p class="input-hint">
-                  <kbd>Enter</kbd> to view {{filter}}
+                  <kbd>Tab</kbd> to autocomplete
                 </p>
-              {{/unless}}
+              {{/if}}
             {{/if}}
-            {{#if firstPartialMatch}}
-              <p class="input-hint">
-                <kbd>Tab</kbd> to autocomplete
-              </p>
-            {{/if}}
-          {{/if}}
-        </ToolbarFilters>
-      {{/if}}
-
-      <ToolbarActions>
-        <ToolbarSecretLink
-          @secret=''
-          @mode="create"
-          @type="add"
-          @queryParams={{query-params initialKey=(or filter baseKey.id) itemType=tab}}
-          @data-test-secret-create=true
-        >
-          {{options.create}}
-        </ToolbarSecretLink>
-      </ToolbarActions>
-    </Toolbar>
-  {{/if}}
-
-  {{#if model.meta.total}}
-    {{#each model as |item|}}
-    {{!-- Because of the component helper cannot use glimmer nested SecretList::Item --}}
-      {{#let (component options.listItemPartial) as |Component|}}
-        <Component
-          @item={{item}}
-          @backendModel={{backendModel}}
-          @backendType={{backendType}}
-          @delete={{action "delete" item "secret"}}
-          @itemPath={{concat options.modelPrefix item.id}}
-          @itemType={{options.item}}
-          @modelType={{@modelType}}
-          @options={{options}}
-          @toggleZeroAddress={{action "toggleZeroAddress" item backendModel}}
-        />
-      {{/let}}
-  {{else}}
-      <div class="box is-sideless">
-        {{#if filterFocused}}
-          There are no {{pluralize options.item}} matching <code>{{filter}}</code>, press <kbd>ENTER</kbd> to add one.
-        {{else}}
-          There are no {{pluralize options.item}} matching <code>{{filter}}</code>.
+          </ToolbarFilters>
         {{/if}}
-      </div>
-    {{/each}}
-    {{#if (gt model.meta.lastPage 1) }}
-      <ListPagination @page={{model.meta.currentPage}} @lastPage={{model.meta.lastPage}} @link={{concat "vault.cluster.secrets.backend.list" (unless baseKey.id "-root")}} @model={{compact (array backend (if baseKey.id baseKey.id))}} />
+
+        <ToolbarActions>
+          <ToolbarSecretLink
+            @secret=''
+            @mode="create"
+            @type="add"
+            @queryParams={{query-params initialKey=(or filter baseKey.id) itemType=tab}}
+            @data-test-secret-create=true
+          >
+            {{options.create}}
+          </ToolbarSecretLink>
+        </ToolbarActions>
+      </Toolbar>
     {{/if}}
-  {{else}}
-    {{#if (eq baseKey.id '')}}
-      <EmptyState
-        @title="No {{pluralize options.item}} in this backend"
-        @message="Secrets in this backend will be listed here. Add a secret to get started."
-      >
-        <SecretLink @mode="create" @secret="" @queryParams={{query-params initialKey=(or filter baseKey.id) itemType=tab}} @class="link">
-          {{options.create}}
-        </SecretLink>
-      </EmptyState>
+
+    {{#if model.meta.total}}
+      {{#each model as |item|}}
+      {{!-- Because of the component helper cannot use glimmer nested SecretList::Item --}}
+        {{#let (component options.listItemPartial) as |Component|}}
+          <Component
+            @item={{item}}
+            @backendModel={{backendModel}}
+            @backendType={{backendType}}
+            @delete={{action "delete" item "secret"}}
+            @itemPath={{concat options.modelPrefix item.id}}
+            @itemType={{options.item}}
+            @modelType={{@modelType}}
+            @options={{options}}
+            @toggleZeroAddress={{action "toggleZeroAddress" item backendModel}}
+          />
+        {{/let}}
     {{else}}
-      {{#if filterIsFolder}}
+        <div class="box is-sideless">
+          {{#if filterFocused}}
+            There are no {{pluralize options.item}} matching <code>{{filter}}</code>, press <kbd>ENTER</kbd> to add one.
+          {{else}}
+            There are no {{pluralize options.item}} matching <code>{{filter}}</code>.
+          {{/if}}
+        </div>
+      {{/each}}
+      {{#if (gt model.meta.lastPage 1) }}
+        <ListPagination @page={{model.meta.currentPage}} @lastPage={{model.meta.lastPage}} @link={{concat "vault.cluster.secrets.backend.list" (unless baseKey.id "-root")}} @model={{compact (array backend (if baseKey.id baseKey.id))}} />
+      {{/if}}
+    {{else}}
+      {{#if (eq baseKey.id '')}}
         <EmptyState
-          @title={{if (eq filter baseKey.id)
-            (concat
-              "No " (pluralize options.item) " under &quot;" this.filter "&quot;"
-            )
-            (concat
-              "No folders matching &quot;" this.filter "&quot;"
-            )
-          }}
-        />
+          @title="No {{pluralize options.item}} in this backend"
+          @message="Secrets in this backend will be listed here. Add a secret to get started."
+        >
+          <SecretLink @mode="create" @secret="" @queryParams={{query-params initialKey=(or filter baseKey.id) itemType=tab}} @class="link">
+            {{options.create}}
+          </SecretLink>
+        </EmptyState>
+      {{else}}
+        {{#if filterIsFolder}}
+          <EmptyState
+            @title={{if (eq filter baseKey.id)
+              (concat
+                "No " (pluralize options.item) " under &quot;" this.filter "&quot;"
+              )
+              (concat
+                "No folders matching &quot;" this.filter "&quot;"
+              )
+            }}
+          />
+        {{/if}}
       {{/if}}
     {{/if}}
-  {{/if}}
-{{/with}}
+  {{/with}}
+{{/if}}
diff --git a/ui/app/templates/vault/cluster/secrets/backend/metadata.hbs b/ui/app/templates/vault/cluster/secrets/backend/metadata.hbs
index bd1dc5a8037bb..8c0ddcbf02c86 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/metadata.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/metadata.hbs
@@ -33,6 +33,7 @@
 </div>
 
 <Toolbar>
+  {{!-- You must have update on metadata, create is not enough. --}}
   {{#if this.model.canUpdateMetadata}}
     <ToolbarActions>  
       <ToolbarLink @params={{array 'vault.cluster.secrets.backend.edit-metadata' this.model.id }}>
@@ -50,28 +51,38 @@
 <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
   {{#each-in this.model.customMetadata as | key value|}}
       <InfoTableRow @alwaysRender={{false}} @label={{key}} @value={{value}} />
+  {{else if this.noReadAccess}}
+    <EmptyState
+      @title="You do not have access to read secret metadata"
+      @bottomBorder={{true}}
+      @message="In order to edit secret metadata access, the UI requires read permissions; otherwise, data may be deleted. Edits can still be made via the API and CLI.">
+    </EmptyState>
   {{else}}
     <EmptyState
       @title="No custom metadata"
       @bottomBorder={{true}}
       @message="This data is version-agnostic and is usually used to describe the secret being stored.">
-        <LinkTo
-          @route="vault.cluster.secrets.backend.edit-metadata"
-          @model={{this.model.id}}
-          data-test-add-custom-metadata
-        >
-          Add metadata
-        </LinkTo>
+        {{#if this.model.canUpdateMetadata}}
+          <LinkTo
+            @route="vault.cluster.secrets.backend.edit-metadata"
+            @model={{this.model.id}}
+            data-test-add-custom-metadata
+          >
+            Add metadata
+          </LinkTo>
+        {{/if}}
     </EmptyState>
   {{/each-in}}
 </div>
-<div class="form-section">
-  <label class="title has-padding-top is-5">
-    Secret Metadata
-  </label>
-</div>
-<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <InfoTableRow @alwaysRender={{true}} @label="Maximum versions" @value={{this.model.maxVersions}} />
-  <InfoTableRow @alwaysRender={{true}} @label="Check-and-Set required" @value={{this.model.casRequired}} />
-  <InfoTableRow @alwaysRender={{true}} @label="Delete version after" @value={{if (eq this.model.deleteVersionAfter "0s") "Never delete" this.model.deleteVersionAfter}} />
-</div>
+{{#unless this.noReadAccess}}
+  <div class="form-section">
+    <label class="title has-padding-top is-5">
+      Secret Metadata
+    </label>
+  </div>
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <InfoTableRow @alwaysRender={{true}} @label="Maximum versions" @value={{this.model.maxVersions}} />
+    <InfoTableRow @alwaysRender={{true}} @label="Check-and-Set required" @value={{this.model.casRequired}} />
+    <InfoTableRow @alwaysRender={{true}} @label="Delete version after" @value={{if (eq this.model.deleteVersionAfter "0s") "Never delete" this.model.deleteVersionAfter}} />
+  </div>
+{{/unless}}
diff --git a/ui/app/templates/vault/cluster/secrets/backend/overview.hbs b/ui/app/templates/vault/cluster/secrets/backend/overview.hbs
index 6921213b2bbbe..9396a5b612791 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/overview.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/overview.hbs
@@ -32,6 +32,7 @@
             @actionText="Configure new"
             @actionTo="vault.cluster.secrets.backend.create-root"
             @queryParam={{'connection'}}
+            @type="role"
           />
         {{/if}}
         {{#if (or model.roleCapabilities.canList model.staticRoleCapabilities.canList) }}
diff --git a/ui/lib/core/addon/templates/components/search-select.hbs b/ui/lib/core/addon/templates/components/search-select.hbs
index bc876e1f8d6f0..6cccd18d20f36 100644
--- a/ui/lib/core/addon/templates/components/search-select.hbs
+++ b/ui/lib/core/addon/templates/components/search-select.hbs
@@ -5,6 +5,7 @@
     onChange=(action "onChange")
     inputValue=inputValue
     helpText=helpText
+    placeHolder=placeHolder
   }}
 {{else}}
   <label class="{{if labelClass labelClass 'title is-4'}}" data-test-field-label>
diff --git a/ui/tests/acceptance/secrets/backend/kv/secret-test.js b/ui/tests/acceptance/secrets/backend/kv/secret-test.js
index e83b380cc6a7a..c7c6be6cbbabf 100644
--- a/ui/tests/acceptance/secrets/backend/kv/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/secret-test.js
@@ -391,7 +391,113 @@ module('Acceptance | secrets/secret/create', function(hooks) {
     );
   });
 
-  test('version 2 with restricted policy still allows creation', async function(assert) {
+  test('paths are properly encoded', async function(assert) {
+    let backend = 'kv';
+    let paths = [
+      '(',
+      ')',
+      '"',
+      //"'",
+      '!',
+      '#',
+      '$',
+      '&',
+      '*',
+      '+',
+      '@',
+      '{',
+      '|',
+      '}',
+      '~',
+      '[',
+      '\\',
+      ']',
+      '^',
+      '_',
+    ].map(char => `${char}some`);
+    assert.expect(paths.length * 2);
+    let secretName = '2';
+    let commands = paths.map(path => `write '${backend}/${path}/${secretName}' 3=4`);
+    await consoleComponent.runCommands(['write sys/mounts/kv type=kv', ...commands]);
+    for (let path of paths) {
+      await listPage.visit({ backend, id: path });
+      assert.ok(listPage.secrets.filterBy('text', '2')[0], `${path}: secret is displayed properly`);
+      await listPage.secrets.filterBy('text', '2')[0].click();
+      assert.equal(
+        currentRouteName(),
+        'vault.cluster.secrets.backend.show',
+        `${path}: show page renders correctly`
+      );
+    }
+  });
+
+  test('create secret with space shows version data', async function(assert) {
+    let enginePath = `kv-${new Date().getTime()}`;
+    let secretPath = 'space space';
+    // mount version 2
+    await mountSecrets.visit();
+    await mountSecrets.selectType('kv');
+    await mountSecrets
+      .next()
+      .path(enginePath)
+      .submit();
+    await settled();
+    await listPage.create();
+    await editPage.createSecret(secretPath, 'foo', 'bar');
+    await settled();
+    await click('[data-test-popup-menu-trigger="version"]');
+    await settled();
+    await click('[data-test-version-history]');
+    await settled();
+    assert.dom('[data-test-list-item-content]').exists('renders the version and not an error state');
+    // click on version
+    await click('[data-test-popup-menu-trigger="true"]');
+    await click('[data-test-version]');
+    await settled();
+    // perform encode function that should be done by the encodePath
+    let encodedSecretPath = secretPath.replace(/ /g, '%20');
+    assert.equal(currentURL(), `/vault/secrets/${enginePath}/show/${encodedSecretPath}?version=1`);
+  });
+
+  // the web cli does not handle a quote as part of a path, so we test it here via the UI
+  test('creating a secret with a single or double quote works properly', async function(assert) {
+    await consoleComponent.runCommands('write sys/mounts/kv type=kv');
+    let paths = ["'some", '"some'];
+    for (let path of paths) {
+      await listPage.visitRoot({ backend: 'kv' });
+      await listPage.create();
+      await editPage.createSecret(`${path}/2`, 'foo', 'bar');
+      await listPage.visit({ backend: 'kv', id: path });
+      assert.ok(listPage.secrets.filterBy('text', '2')[0], `${path}: secret is displayed properly`);
+      await listPage.secrets.filterBy('text', '2')[0].click();
+      assert.equal(
+        currentRouteName(),
+        'vault.cluster.secrets.backend.show',
+        `${path}: show page renders correctly`
+      );
+    }
+  });
+
+  test('filter clears on nav', async function(assert) {
+    await consoleComponent.runCommands([
+      'vault write sys/mounts/test type=kv',
+      'refresh',
+      'vault write test/filter/foo keys=a keys=b',
+      'vault write test/filter/foo1 keys=a keys=b',
+      'vault write test/filter/foo2 keys=a keys=b',
+    ]);
+    await listPage.visit({ backend: 'test', id: 'filter' });
+    assert.equal(listPage.secrets.length, 3, 'renders three secrets');
+    await listPage.filterInput('filter/foo1');
+    assert.equal(listPage.secrets.length, 1, 'renders only one secret');
+    await listPage.secrets.objectAt(0).click();
+    await showPage.breadcrumbs.filterBy('text', 'filter')[0].click();
+    assert.equal(listPage.secrets.length, 3, 'renders three secrets');
+    assert.equal(listPage.filterInputValue, 'filter/', 'pageFilter has been reset');
+  });
+
+  // All policy test below this line
+  test('version 2 with restricted policy still allows creation and does not show metadata tab', async function(assert) {
     let backend = 'kv-v2';
     const V2_POLICY = `
       path "kv-v2/metadata/*" {
@@ -416,41 +522,66 @@ module('Acceptance | secrets/secret/create', function(hooks) {
     await writeSecret(backend, 'secret', 'foo', 'bar');
     assert.equal(currentRouteName(), 'vault.cluster.secrets.backend.show', 'redirects to the show page');
     assert.ok(showPage.editIsPresent, 'shows the edit button');
+    //check for metadata tab which should not show because you don't have read capabilities
+    assert.dom('[data-test-secret-metadata-tab]').doesNotExist('does not show metadata tab');
   });
 
-  test('version 2 with restricted policy still allows edit but does not show metadata tab', async function(assert) {
-    let backend = 'kv-v2';
-    const V2_POLICY = `
-      path "kv-v2/metadata/*" {
-        capabilities = ["list"]
+  test('version 2: with metadata no read or list access but access to the data endpoint', async function(assert) {
+    let backend = 'no-metadata-read';
+    let V2_POLICY_NO_LIST = `
+      path "${backend}/metadata/*" {
+        capabilities = ["create","update"]
       }
-      path "kv-v2/data/secret" {
+      path "${backend}/data/*" {
         capabilities = ["create", "read", "update"]
       }
     `;
     await consoleComponent.runCommands([
-      `write sys/mounts/${backend} type=kv options=version=2`,
-      `write sys/policies/acl/kv-v2-degrade policy=${btoa(V2_POLICY)}`,
       // delete any kv previously written here so that tests can be re-run
-      'delete kv-v2/metadata/secret',
-      'write -field=client_token auth/token/create policies=kv-v2-degrade',
+      `delete ${backend}/metadata/secret-path`,
+      // delete any previous mount with same name
+      `delete sys/mounts/${backend}`,
+      `write sys/mounts/${backend} type=kv options=version=2`,
+      `write sys/policies/acl/metadata-no-list policy=${btoa(V2_POLICY_NO_LIST)}`,
+      'write -field=client_token auth/token/create policies=metadata-no-list',
     ]);
-
-    let userToken = consoleComponent.lastLogOutput;
-    // check secret edit
-    await writeSecret(backend, 'secret', 'foo', 'bar');
+    await settled();
+    let userToken2 = consoleComponent.lastLogOutput;
+    await settled();
+    await listPage.visitRoot({ backend });
+    await settled();
+    await listPage.create();
+    await settled();
+    await editPage.createSecretWithMetadata('secret-path', 'secret-key', 'secret-value', 101);
+    await settled();
     await logout.visit();
-    await authPage.login(userToken);
-
-    await editPage.visitEdit({ backend, id: 'secret' });
-    await editPage.editSecret('bar', 'baz');
     await settled();
-    assert.equal(currentRouteName(), 'vault.cluster.secrets.backend.show', 'redirects to the show page');
-    assert.ok(showPage.editIsPresent, 'shows the edit button');
-    //check for metadata tab
-    assert.dom('[data-test-secret-metadata-tab]').doesNotExist('does not show metadata tab');
+    await authPage.login(userToken2);
+    await settled();
+    // test if metadata tab there and error and no edit. and you can’t see metadata that was setup.
+    await click(`[data-test-auth-backend-link=${backend}]`);
+    await settled();
+    // this fails in IE11 on browserstack so going directly to URL
+    // let card = document.querySelector('[data-test-search-roles]').childNodes[1];
+    // await typeIn(card.querySelector('input'), 'secret-path');
+    // await settled();
+    await visit('/vault/secrets/no-metadata-read/show/secret-path');
+    // await click('[data-test-get-credentials]');
+    await settled();
+    await assert
+      .dom('[data-test-value-div="secret-key"]')
+      .exists('secret view page and info table row with secret-key value');
+    // check metadata
+    await click('[data-test-secret-metadata-tab]');
+    await settled();
+    assert
+      .dom('[data-test-empty-state-message]')
+      .hasText(
+        'In order to edit secret metadata access, the UI requires read permissions; otherwise, data may be deleted. Edits can still be made via the API and CLI.'
+      );
   });
 
+  // KV delete operations testing
   test('version 2 with policy with destroy capabilities shows modal', async function(assert) {
     let backend = 'kv-v2';
     const V2_POLICY = `
@@ -578,111 +709,7 @@ module('Acceptance | secrets/secret/create', function(hooks) {
     await writeSecret(backend, 'secret', 'foo', 'bar');
     assert.dom('[data-test-secret-v2-delete="true"]').exists('drop down delete shows');
   });
-
-  test('paths are properly encoded', async function(assert) {
-    let backend = 'kv';
-    let paths = [
-      '(',
-      ')',
-      '"',
-      //"'",
-      '!',
-      '#',
-      '$',
-      '&',
-      '*',
-      '+',
-      '@',
-      '{',
-      '|',
-      '}',
-      '~',
-      '[',
-      '\\',
-      ']',
-      '^',
-      '_',
-    ].map(char => `${char}some`);
-    assert.expect(paths.length * 2);
-    let secretName = '2';
-    let commands = paths.map(path => `write '${backend}/${path}/${secretName}' 3=4`);
-    await consoleComponent.runCommands(['write sys/mounts/kv type=kv', ...commands]);
-    for (let path of paths) {
-      await listPage.visit({ backend, id: path });
-      assert.ok(listPage.secrets.filterBy('text', '2')[0], `${path}: secret is displayed properly`);
-      await listPage.secrets.filterBy('text', '2')[0].click();
-      assert.equal(
-        currentRouteName(),
-        'vault.cluster.secrets.backend.show',
-        `${path}: show page renders correctly`
-      );
-    }
-  });
-
-  test('create secret with space shows version data', async function(assert) {
-    let enginePath = `kv-${new Date().getTime()}`;
-    let secretPath = 'space space';
-    // mount version 2
-    await mountSecrets.visit();
-    await mountSecrets.selectType('kv');
-    await mountSecrets
-      .next()
-      .path(enginePath)
-      .submit();
-    await settled();
-    await listPage.create();
-    await editPage.createSecret(secretPath, 'foo', 'bar');
-    await settled();
-    await click('[data-test-popup-menu-trigger="version"]');
-    await settled();
-    await click('[data-test-version-history]');
-    await settled();
-    assert.dom('[data-test-list-item-content]').exists('renders the version and not an error state');
-    // click on version
-    await click('[data-test-popup-menu-trigger="true"]');
-    await click('[data-test-version]');
-    await settled();
-    // perform encode function that should be done by the encodePath
-    let encodedSecretPath = secretPath.replace(/ /g, '%20');
-    assert.equal(currentURL(), `/vault/secrets/${enginePath}/show/${encodedSecretPath}?version=1`);
-  });
-
-  // the web cli does not handle a quote as part of a path, so we test it here via the UI
-  test('creating a secret with a single or double quote works properly', async function(assert) {
-    await consoleComponent.runCommands('write sys/mounts/kv type=kv');
-    let paths = ["'some", '"some'];
-    for (let path of paths) {
-      await listPage.visitRoot({ backend: 'kv' });
-      await listPage.create();
-      await editPage.createSecret(`${path}/2`, 'foo', 'bar');
-      await listPage.visit({ backend: 'kv', id: path });
-      assert.ok(listPage.secrets.filterBy('text', '2')[0], `${path}: secret is displayed properly`);
-      await listPage.secrets.filterBy('text', '2')[0].click();
-      assert.equal(
-        currentRouteName(),
-        'vault.cluster.secrets.backend.show',
-        `${path}: show page renders correctly`
-      );
-    }
-  });
-
-  test('filter clears on nav', async function(assert) {
-    await consoleComponent.runCommands([
-      'vault write sys/mounts/test type=kv',
-      'refresh',
-      'vault write test/filter/foo keys=a keys=b',
-      'vault write test/filter/foo1 keys=a keys=b',
-      'vault write test/filter/foo2 keys=a keys=b',
-    ]);
-    await listPage.visit({ backend: 'test', id: 'filter' });
-    assert.equal(listPage.secrets.length, 3, 'renders three secrets');
-    await listPage.filterInput('filter/foo1');
-    assert.equal(listPage.secrets.length, 1, 'renders only one secret');
-    await listPage.secrets.objectAt(0).click();
-    await showPage.breadcrumbs.filterBy('text', 'filter')[0].click();
-    assert.equal(listPage.secrets.length, 3, 'renders three secrets');
-    assert.equal(listPage.filterInputValue, 'filter/', 'pageFilter has been reset');
-  });
+  // end of KV delete operation testing
 
   let setupNoRead = async function(backend, canReadMeta = false) {
     const V2_WRITE_ONLY_POLICY = `
diff --git a/ui/tests/acceptance/settings/mount-secret-backend-test.js b/ui/tests/acceptance/settings/mount-secret-backend-test.js
index ced0523f2861b..bcc272fe86b31 100644
--- a/ui/tests/acceptance/settings/mount-secret-backend-test.js
+++ b/ui/tests/acceptance/settings/mount-secret-backend-test.js
@@ -147,49 +147,4 @@ module('Acceptance | settings/mount-secret-backend', function(hooks) {
     await settled();
     assert.dom('[data-test-row-value="Maximum number of versions"]').hasText('Not set');
   });
-
-  test('version 2 with no create to sys/mounts endpoint does not allows mounting of secret engine', async function(assert) {
-    let backend = `kv-noMount-${new Date().getTime()}`;
-    const V2_POLICY = `
-      path "${backend}/*" {
-        capabilities = ["update","list","create","read","sudo","delete"]
-      }
-      path "sys/mounts/*"
-      {
-        capabilities = ["read", "delete", "list", "sudo"]
-      }
-
-      # List existing secrets engines.
-      path "sys/mounts"
-      {
-        capabilities = ["read"]
-      }
-    `;
-    await consoleComponent.runCommands([
-      `write sys/policies/acl/kv-v2-degrade policy=${btoa(V2_POLICY)}`,
-      'write -field=client_token auth/token/create policies=kv-v2-degrade',
-    ]);
-
-    let userToken = consoleComponent.lastLogOutput;
-    await logout.visit();
-    await authPage.login(userToken);
-    // create the engine
-    await mountSecrets.visit();
-    await mountSecrets.selectType('kv');
-    await mountSecrets
-      .next()
-      .path(backend)
-      .setMaxVersion(101)
-      .submit();
-    await settled();
-    assert.ok(
-      find('[data-test-flash-message]').textContent.trim(),
-      `You do not have access to the sys/mounts endpoint. The secret engine was not mounted.`
-    );
-    assert.equal(currentRouteName(), 'vault.cluster.settings.mount-secret-backend');
-
-    await page.secretList();
-    await settled();
-    assert.dom(`[data-test-secret-backend-row=${backend}]`).doesNotExist();
-  });
 });
diff --git a/ui/tests/integration/components/get-credentials-card-test.js b/ui/tests/integration/components/get-credentials-card-test.js
index d4309082f87e0..46d143f88705b 100644
--- a/ui/tests/integration/components/get-credentials-card-test.js
+++ b/ui/tests/integration/components/get-credentials-card-test.js
@@ -2,7 +2,7 @@ import { module, test } from 'qunit';
 import { run } from '@ember/runloop';
 import { setupRenderingTest } from 'ember-qunit';
 import Service from '@ember/service';
-import { render } from '@ember/test-helpers';
+import { render, typeIn } from '@ember/test-helpers';
 import { selectChoose, clickTrigger } from 'ember-power-select/test-support/helpers';
 import hbs from 'htmlbars-inline-precompile';
 
@@ -45,9 +45,23 @@ module('Integration | Component | get-credentials-card', function(hooks) {
   test('it shows button that can be clicked to credentials route when an item is selected', async function(assert) {
     const models = ['database/role'];
     this.set('models', models);
-    await render(hbs`<GetCredentialsCard @title={{title}} @searchLabel={{searchLabel}} @models={{models}}/>`);
+    await render(
+      hbs`<GetCredentialsCard @title={{title}} @searchLabel={{searchLabel}} @models={{models}} @type="role"/>`
+    );
     await clickTrigger();
     await selectChoose('', 'my-role');
     assert.dom('[data-test-get-credentials]').isEnabled();
   });
+
+  test('it shows input field that can be clicked to a secret when role is secret', async function(assert) {
+    await render(
+      hbs`<GetCredentialsCard @title={{title}} @shouldUseFallback={{true}} @placeHolder="secret/" @backend="kv" @type="secret"/>`
+    );
+    let card = document.querySelector('[data-test-search-roles]').childNodes[1];
+    let placeholder = card.querySelector('input').placeholder;
+    assert.equal(placeholder, 'secret/');
+
+    await typeIn(card.querySelector('input'), 'test');
+    assert.dom('[data-test-get-credentials]').isEnabled();
+  });
 });
diff --git a/ui/tests/pages/secrets/backend/kv/edit-secret.js b/ui/tests/pages/secrets/backend/kv/edit-secret.js
index 026d2150a2a2b..a5de4f320ddc8 100644
--- a/ui/tests/pages/secrets/backend/kv/edit-secret.js
+++ b/ui/tests/pages/secrets/backend/kv/edit-secret.js
@@ -29,6 +29,14 @@ export default create({
       .secretValue(value)
       .save();
   },
+  createSecretWithMetadata: async function(path, key, value, maxVersion) {
+    return this.path(path)
+      .secretKey(key)
+      .secretValue(value)
+      .toggleMetadata()
+      .maxVersion(maxVersion)
+      .save();
+  },
   editSecret: async function(key, value) {
     return this.secretKey(key)
       .secretValue(value)