`vault list sys/policy` works but `vault policy list` returns permission denied

Hi,

I’m having a little trouble getting my user-login properly setup on my local workstation.
There are already numerous policies defined in our vault and I have full root access to one of the vault instances that also has full permissions to the whole vault.

There is a admin-policy which contains among others the following:

# List existing policies
path "sys/policy" {
  capabilities = ["read", "list"]
}

# Create and manage ACL policies broadly across Vault
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

And my user has that policy assigned, it shows up in both token_policies and policies after doing a local vault login.

However, I am unable to properly interact with the policies facility:

> vault policy list
Error listing policies: Error making API request.

URL: GET https://my.fancy.vault:8200/v1/sys/policies/acl?list=true
Code: 403. Errors:

* 1 error occurred:
	* permission denied

What confuses me most is that plain listing of that path works perfectly fine:

> vault list sys/policy
Keys
----
admin-policy
[...]
default
[...]
root

Please advise on how to further debug/resolve that.

I think you want to try

sys/policies/*

Indeed, that was the cause. Thank you!
So the URL shown in the permission error translates directly to the paths inside vault? That would be helpful to know for future issues.

generally yes. policy is an odd one, as policy and policies were developed at different times w the intro of Sentinel EGP/RGP stuff.