I have this policy for “db”:
path "secret/*" {
capabilities = ["list"]
}
path "secret/db/*" {
capabilities = ["list", "read"]
}
I create a token with this policy via:
vault token create -policy db -period 72h -orphan -renewable=true -format=json
If I log in using this policy, I can click on and view sercret/ and secret/db/. But when I click on the link for secret/db/config, I am told:
“You don’t have access to secret/. If you think you’ve reached this page in error, please contact your administrator.”
According to the docs here: Policies | Vault by HashiCorp
# Permit reading everything under "secret/bar". An attached token could read
# "secret/bar/zip", "secret/bar/zip/zap", but not "secret/bars/zip".
path "secret/bar/*" {
capabilities = ["read"]
}
Why can my token read secret/db but not secret/db/config? From reading the priority rules, the longer path should have higher priority, so I should have read/list on anything under secret/bar/*.
Pointers appreciated!