I am going to guess that your secret/ is a KV v2 secrets engine.
These frequently cause great confusion for new policy authors.
The URLs you use with the KV v2 secrets engine all have an extra path segment inserted between the base path of the secrets engine, and the path within the secrets engine that you see in the UI, or use with the vault kv ... set of CLI commands.
if your KV v2 secrets engine is mounted at secret/ and you are working with a secret within it at path/to/key, the URL-paths you will actually use will be:
-
secret/data/path/to/key- Implementscreate,update,read,delete,patch- used for most common operations EXCEPTlist. -
secret/metadata/path/to/key- Implementslist,create,update,read,delete- used forlist, modifying per-secret configuration settings, modifying per-secret custom metadata, and deleting the full version history of a secret. -
secret/delete/path/to/key- Implementsupdatecapability only - soft delete of a single version of a secret. -
secret/undelete/path/to/key- Implementsupdatecapability only - reverses soft delete of a single version of a secret. -
secret/destroy/path/to/key- Implementsupdatecapability only - permanently wipes a single version of a secret. -
secret/subkeys/path/to/key- Implementsreadcapability only - returns JSON structure of secret with the values filtered out.
It is these URL-paths which would appear in your policies.
The URL layout of the KV v2 secrets engine confuses many people - if you’re going to be using them, it is good to take some time to carefully read through what operations exist on the various KV v2 subpaths, at KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer.