Templated Policies for K8s

Hello Folks!

I have k8s cluster integrated with Vault and I’m trying to use templated policies instead of defining each path explicitly , I created a policy that uses identity.entity.aliases.auth_accessor.metadata.service_account_namespace in the path so it will match the path to the namespace of any serviceaccount that authenticated via the auth_accessor and allow read and list permmissions

path "secret/{{identity.entity.aliases.auth_accessor.metadata.service_account_namespace}}/*" {
  capabilities = [ "read", "list" ]

What I have noticed , when the service get authenticated it get 403 on https GET as show below

vault.read (secret/namespace) , permission denied 403 GET https://vault-url/v11/data/secret/namespace 
vault.read (secret/namespace) , permission denied 403 GET https://vault-url/v11/metadata/secret/namespace 

I tried to add /data and /metadata to the policy but no luck!

Can anyone explain to me how Vault GET the secrets? as far as I know, all secrets calls are sent to /v1/secret/path/to/secret , What I have missed in the above policy?


I fixed the above by allowing read and list on root path secret/* and adding a trailing / to the end of the templated policy path , just like below

path "secret/{{identity.entity.aliases.auth_accessor.metadata.service_account_namespace}}/*/" {
  capabilities = [ "read", "list" ]

Thank you!