Policy to match multiple directories in the middle

cravi53 · May 14, 2025, 1:29pm

I have a requirement to “deny” access to vault path like PATH/****/SOME_PATH/*****/*SOMESUFFIX

Expectation is to block all the below paths:
PATH/one/two/three/SOME_PATH/four/five/sixSOMESUFFIX
PATH/one/two/SOME_PATH/four/sixSOMESUFFIX

I have created a policies like below for that

path "PATH/*/SOME_PATH/*/*SOMESUFFIX" {
  capabilities = ["deny"]
}

But this doesn’t block the access.

Even I tried the below policy (Based on suggestion from Grok that “**” will match multiple directories)

path "PATH/**/SOME_PATH/**/*SOMESUFFIX" {
  capabilities = ["deny"]
}

Any help to fix any issue in my policy

gabriele-lombardi · May 14, 2025, 2:57pm

Hello @cravi53 ,
Vault does not support using * in the middle of the path; it should only be used as the last character. This link maybe can help you.

With that being said, you can trying using the + to match the common suffix, something like this: path/+/some-path/* or path/+/+/some-path/* . It cannot be used as part of a directory, like path/test+/some-path . This will not work.

You could try using: path/+/some-path/+/secret-name

Let me know if it helps you

Topic		Replies	Views
Vault policy not working with (+ and *) in the one path Vault	2	1119	July 22, 2019
Confusing plus and asterisk operators in vault policies for kv2 Vault vault	5	2295	September 7, 2020
Weird behaviour with + in policy Vault	0	284	March 26, 2020
Vault admin policy Vault	3	4026	May 21, 2022
Wildcard in policy path doesn't work with prefix Vault	5	4575	November 10, 2020

Policy to match multiple directories in the middle

Related topics