[Resolved] Vault Acl policy [newbie]

I use the secret kv engine. When writing an ACL policy, if the path is only written as secret/*, the user is able to access the related path, subpaths and secret; however, as soon as other paths are added after secret/, it results in the user not being able to access the corresponding path, subpaths and secret.

OK:path "secret/*" 	{    capabilities = [ "read"、"list"]  }
NO:path "secret/sec/*" 	{    capabilities = [ "read"、"list"]  }

Where did it go wrong? Thank you! Sorry for my bad English.

Translated with DeepL.com (free version)

The KV-V2 engine requires a slight change in regards to policies as the KV-V2 engine stores metadata, in addition to the standard data. You need to specify both metadata and data.

path "kv/data/path/to/secret" {
  capabilities = ["read", "list"]
path "kv/metadata/path/to/secret" {
  capabilities = ["read", "list"]

This can be shortened to a single policy, when using the + attribute.

path "kv/+/path/to/secret" {
  capabilities = ["read", "list"]

It seems like to require list for metadata(or +). Now it works, thank you!

path "secret/metadata/" {   capabilities = ["list"] }
path "secret/+/sec/*" {   capabilities = ["read", "list"] }