Issue with secret-ids

We have written a Powershell script to re-create our secret-ids from our deployment pipeline.
However, I have observed, in my testing, that the previous secret-id is still valid for logging in.
All of them are created with a TTL=0,
I seem to not be able to use the API call


We’re getting a permission denied. The approle I’m logged into when running this command is one that has this policy:

# Grant 'update' permission on the 'auth/approle/role/+/secret-id' path
path "auth/approle/role/+/secret-id" {
   capabilities = [ "create", "update" ]

What other capabilities do I need to use the destroy functionality? Or can someone explain why the old secret-id continues to work?