Issues with JWT auth

I’m trying to understand JWT auth and have set up a dev version of vault but I’m getting a “permission denied” error. I’ve double checked everything but can’t see anything wrong.

This is the policy:-

$ vault policy read test-policy
path "kv/my-secret" {
  capabilities = [ "read" ]

This is the role i’ve created:-

$ vault read auth/jwt/role/test-role
Key                        Value
---                        -----
allowed_redirect_uris      <nil>
bound_audiences            <nil>
bound_claims               map[branch:main service_name:study]
bound_claims_type          string
bound_subject              n/a
claim_mappings             map[]
clock_skew_leeway          0
expiration_leeway          0
groups_claim               n/a
max_age                    0
not_before_leeway          0
oidc_scopes                <nil>
policies                   [test-policy]
role_type                  jwt
token_bound_cidrs          []
token_explicit_max_ttl     30s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [test-policy]
token_ttl                  0s
token_type                 default
user_claim                 sub
user_claim_json_pointer    false
verbose_oidc_logging       false

and this is the encoded payload in the JWT:-

  "iss": "",
  "sub": "sub",
  "aud": "audrey",
  "iat": 1701257192,
  "exp": 1701257792,
  "service_name": "study",
  "branch": "main"

and I’ve verified the public key is correct in the vault.

This was the cli request I made (I’ve ommited the token here):-

 vault write auth/jwt/login role=test-role jwt=

This was the response I got back from the auth request:-

ARNING! The following warnings were returned from Vault:

  * TTL of "768h" exceeded the effective max_ttl of "30s"; TTL value is capped

Key                  Value
---                  -----
token                hvs.CAESIHpVgoK-hWbDzC2NExNbjiH3qMpsYsuGqRW646Kl5cGcGh4KHGh2cy5EUExwMWNvQVFuaTB0TEpuY2JYUnpvOG4
token_accessor       7KIqnmX2peNF0D3tNxPPW87V
token_duration       30s
token_renewable      true
token_policies       ["default" "test-policy"]
identity_policies    []
policies             ["default" "test-policy"]
token_meta_role      test-role

I then exported the token:-

export VAULT_TOKEN="hvs.CAESIFDESLMOEh_cheL7ruKIz2lcqpDMN5P4xdVyxK-eXg7DGh4KHGh2cy5jOGh3WnhZb2tjTzlaVm5TeUhwYVRFN0Q"

then tried to get the creds:-

vault kv get kv/my-secret

but get the following back:-

Error making API request.

Code: 403. Errors:

* permission denied

Any ideas where I might be going wrong?