I see nothing wrong with the general approach, but since you haven’t shared the exact details of the API calls you are trying to make, or the exact details of the errors returned, it is difficult to be helpful.
When I access the kv2 read metadata api endpoint in my setup, with the only difference being in the policy mentioned above, the read either succeeds with the general policy, or fails with a 403 error with the “metadata” only policy.
With a little more testing, it seems like the basics of my problem were too boiled down. If multiple engines are involved, the policy fails across mounts:
Ah, that sounds familiar. The logic that Vault uses to determine which is the “most specific” policy path rule is weird. I actually think there’s a case for calling it defective. For example, a rule for any of these:
engines/*
engines/engine1/*
engines/engine1/metadata/*
would be considered “more specific” than the rule for engines/+/metadata/apath/* and would override it.
I think in my case it might be that the “+” specification seems to have some unexpected (maybe buggy?) interaction at the mount vs path split. Maybe I’ll file it as an issue.