Create a policy to list/read/update/create all secrets


I would like to create an admin policy that manage every secrets from every engines of my vault. For now I tried to have access to k/v 2 secrets, when I use this policy I can list every path but not access to secrets.


path "*" {
  capabilities = ["list"]

path "*/data/*" {
  capabilities = ["create", "read", "update", "delete", "list"]

path "*/metadata/*" {
  capabilities = ["create", "read", "update", "delete", "list"]

Is it possible to use “*” to indicate path before “/data/” or “/metadata” ?
Or Do I have to indicate every paths one by one ?

“*” marks the end of a path. “+” is used within a path.

The path can have a wildcard (" * ") at the end to allow for any string in its place. For example, " secret/training_* " grants permissions on any path starting with " secret/training_ " (e.g. secret/training_vault ). To allow wildcard matching for a single directory, use " + ". For example, " secret/app/+/stage " would match a path such as " secret/app/release_1.0/stage ".

But I don’t know if it’s the answer to your use case.

A root-like policy is mentioned here:

An admin policy is mentioned here:

My policy is base on the admin one that is on the link, but it do not allow me to access to every secrets and manage it. But maybe vault is not build for that, it force us to indicate the path that we want to access in order to have a more “precise” policy ?