Policies and globbing

Hi! I got confused by Vault documentation & issue tracker contradicting each other, could someone please help?
In docs for policies https://www.vaultproject.io/docs/concepts/policies.html it says I can do the following

# Permit reading the "teamb" path under any top-level path under secret/
path "path/to/my/+/teamb" {
  capabilities = ["read"]

Which fits the bill for my case. However, it has no effect (no capabilities from this policy are applied to ‘teamb’ - when I do ‘token capabilities path/to/my/service_name/teamb’, there is no ‘Read’ which should’ve been applied by the policy above).

Now, I’ve seen quite a few closed issues on github saying that globbing is not supported at all and there are no plans for it.

So, question is: can I provide capabilities to a specific secret under different ‘parent’ folders?

I tested with K/V v2 and “+” works. You can try --> https://www.katacoda.com/hashicorp/scenarios/vault-policies

My policy looks like:

path "secret/data/+/apikey" {
   capabilities = ["create", "read", "update", "delete"]

And the following command works.

$ vault kv get secret/team-eng/apikey

If you are using Identity Entities or Groups, use ACL Templating is another option.

Hope this helps.