V1.5.2 - inconsistent behavior /sys/policies/acl vs /sys/policy

K8S 1.20
Vault 1.5.2

Using terraform/vault provider and when tried to update (write) to an existing policy, get a 403. After some digging, this is what tf sends to vault → PUT /v1/sys/policies/acl/ though as you can see below, the admin-policy should have allowed it.


path "*"
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

Here did some testing with postman and you can see that /sys/policy works for read, list and write though /sys/policies/acl does not work for most (only works for read)

[GET] v1/sys/policies/acl/ - 405
[GET] v1/sys/policy/:name - works

[GET] v1/sys/policy/:name - works
[GET] v1/sys/policies/acl/:name - works

[PUT] /v1/sys/policies/acl/:name - 403
[PUT] /v1/sys/policy/cdshop-auth-policy - works
"request":{"id":"49893e8c-ae24-2e81-86ae-c11cc1ac4d7d","operation":"update","mount_type":"system","client_token":"hmac-sha256:ac375f9b218a15297616e02b7d5e9107f2ce712118ce88a5f3c5ba1ee41cb6f2","client_token_accessor":"hmac-sha256:f15640a8bebedfc517823eb186a6d1a6ab4cf3a68cf9017b37a01eb36e88253c","namespace":{"id":"root"},"path":"sys/policies/acl/cd-auth-policy","data":{"rules":"hmac-sha256:2b1335b313b9ae9d2658e6141ea60f209db8aa4485fed267517457b0eb74ff37"},"remote_address":""},"response":{"mount_type":"system","data":{"error":"hmac-sha256:eba39ca7b22534ebc427b9fbcc7d70571281a04982b0fc736af6cc5c40ac282b"}},"error":"1 error occurred:\n\t* permission denied\n\n"}

Vault 1.5.2 is almost 2 years old and the 1.5 release hasn’t been receiving updates since May 2021. I would suggest moving to a more recent release and seeing if the issue persists.