Confusing plus and asterisk operators in vault policies for kv2

Why does adding permission to this path doesn’t work?


but this does?


This is particularly very confusing because this also works:


I don’t understand the logic behind this and I was hoping someone could explain it to me.

The * wildcard will match any string at the end of a path. The + is used as a wildcard to designate a single directory within a path. You can find a more verbose explanation and example at

I understand that, but that doesn’t really explain why kv/+/directory/*works but not kv/+/+/+/+/directory/*

So my point is that essentially anything with just one plus works (in this case the plus would correspond to data, metadata, delete, etc from kv2) but if you add multiple plus signs and one asterisk at the end then it doesn’t work, so you need to add one plus at the end for it to work, and this is fine for my use case.

However if I wanted to be able to give permissions to create subdirectories under the last directory, the plus sign would not be okay and it would not allow you to do so and you would need to create multiple policies for any number of subdirectories.

I don’t know if this is by design or an oversight, that’s what I am trying to figure out.

I have absolutely same question. It is quite discouraging to see that no one from community can answer such simply looking question. So bumping up the thread and hoping we will get an answer soon.

Looks like it’s a bug that’s been around for more than a year:

1 Like