Can't rotate transit keys, what's wrong?

Learning Vault+Transit here.
I’ve created a role “keyrotator” with policy and a token in this role.

path "transit/keys/*/rotate" {
	capabilities = ["create","update"]
}

Then I’ve created a key as root.

I can rotate the key as root of course, but I can’t rotate as “keyrotator”: permission denied.

The -output-policy for vault write -output-policy transit/keys/my-key-name/rotate doesn’t only outputs the policy already assigned.

Why am I unable to rotate? Any policy missing? Is it an issue with key ownership (key was created by root but rotated by another identity)?

# sample (fish) shell session
set ROOT_TOKEN …omitted…
echo $ROOT_TOKEN | vault login -

set KEYNAME k1
vault write transit/keys/$KEYNAME derived=true type=aes256-gcm96

# create policy to rotate keys
set POLICY keyrotation
echo '
path "transit/keys/*/rotate" {
    capabilities = ["create","update"]
}
' | vault policy write $POLICY -

# create role
set ROLE keyrotator
vault write auth/token/roles/$ROLE allowed_policies=$POLICY

# create role-based token
vault write /auth/token/create/$ROLE ttl=1h

set KEYROTATOR_TOKEN …omitted…
echo $KEYROTATOR_TOKEN | vault login -

# try rotating key
vault write transit/keys/$KEYNAME/rotate
## error: permission denied

Finally found the answer in the ACL policy path templating tutorial.

I should have used the + to match any single path-segment, instead of * (which is used to match all the rest of the path).

So replacing path "transit/keys/*/rotate" with path "transit/keys/+/rotate" has fixed the problem.