I’m troubleshooting an issue where I’m unable to permanently delete specific secrets. I’m also seeing conflicting information between the logs and CLI.
First off, when I run “vault token capabilities secret/data/prod/phi-test” I get the following result: “create, delete, list, patch, read, sudo, update”
In the logs, I see 2 Identity Policies referenced, and the ultimate policy_result returned as “allowed: false”.
Here are the 2 policies:
oidc-default-policy:
path “*” {
capabilities = [
“list”,
“patch”,
“read”,
“update”,
“create”,
]
}
path “prod/+/phi*” {
capabilities = [
“list”,
]
}
oidc-superadmin-policy:
path “*” {
capabilities = [
“list”,
“read”,
“patch”,
“update”,
“create”,
“delete”,
“sudo”,
]
}
path “prod/data/phi*” {
capabilities = [
“list”,
“read”,
“patch”,
“update”,
“create”,
“delete”,
“sudo”,
]
}
The issue only affects secrets within Prod that starts with “phi*”
I’m assuming that the two identity policies referenced in the logs should be our focus, but please correct me if I’m wrong there.
That said, this part of the docs seems to indicate that the “oidc-superadmin-policy” capabilities should ultimately override the “oidc-default-policy” capabilities:
For example, given the two paths, “secret/"and"secret/+/+/foo/”, the first wildcard appears in the same place, both end inand the latter has two wildcard segments while the former has zero. So we end at rule (3), and give"secret/+/+/foo/" *lower* priority.
Thank you for any help.