Not understanding Vault policies for secret paths

I have a vault secrets created in these paths:

kv/devops/kubernetes/myservice/mysecret
kv/devops/kubernetes/myservice/tokens/mytoken1

I have a policy that specifies

path "kv/devops/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

I am not able to access my secrets in those paths specified. In my policy, I’ve tried a variation of kv/devops*, kv/devops/kubernetes/*

The only policy path that works for me is kv/* where I am able to list and read my secrets, but that is too broad for my usecase.

I am misunderstanding something about secrets paths and would appreciate an explanation and proper configuration for my use case

Thanks

path "kv/data/devops/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

If it’s a versioned kv secrets engine, this should work.

I gave that a try, but didnt work.

I’m using the web UI, and when trying to access the kv secret storage, it returns You don't have access to kv/. If you think you've reached this page in error, please contact your administrator.

Forgot to mention, I am on v1.4.2

For the ui you will need list on metadata

path "kv/metadata/devops/*" {
  capabilities = ["list"]
}

This is my policy now:

path "kv/data/devops/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "kv/metadata/devops/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

I just tested using the CLI as well, and I get permission denied from both. When I login via cli, the attached policies are what i expected policies ["default" "h2_devops"]

h2_devops being the policy I am using

but doing

$ vault kv list kv
Error listing kv/metadata: Error making API request.

URL: GET https://<removed>/v1/kv/metadata?list=true
Code: 403. Errors:

* 1 error occurred:
	* permission denied

If I use a root token, it works as expected

Interestingly removing devops from the path works, but that is too broad for our usecase.

path "kv/data/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "kv/metadata/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}