You could structure your secrets different such as: it-dba/secrets/apps/<app_name>/<secret_name>
This would allow you to permission based on app name, individual secret, or common prefix.
# Allow reading of app app1 secrets
path "it-dba/secrets/apps/app1/*" {
capabilities = ["read", "list"]
}
# Allow reading of my_secret
path "it-dba/secrets/apps/app1/my_secret" {
capabilities = ["read"]
}
# Allow reading of secrets with prefix of "my"
path "it-dba/secrets/apps/app1/my*" {
capabilities = ["read"]
}
I find the best approach is that each secret you create should have common key names (e.g. username, password, key, etc.) and organized in a way that facilitates the ACL capabilities and your access delegation needs.