Vault Namespace - shutdown / disable access

I’ve been asked to look into a shutdown option, where a namespace is compromised as an option, (vs whole vault sealing)
I can’t work out how to either disable a whole namespace or to implement a deny-all from either within the namespace or within the root account.
I thought it would be as simple as (from root level)

path “namespace1/*” {
capabilities = [“deny”]

But this didn’t work. Has anyone got any pointers or have actually got this to work for themselves?

Thank you


You can’t do this with ACL policies, because most specific policy wins - so an allow policy for namespace1/foo/bar/baz overrides a deny policy for namespace1/*.

However, have you seen Namespace API Lock | Vault by HashiCorp ?

You might just be the next superhero!
Thank you Maxb