Vault policy docs on precedence/priority

The vault policy docs provide the below.

  1. If the first wildcard ( + ) or glob ( * ) occurs earlier in P1 , P1 is lower priority
  2. If P1 ends in * and P2 doesn’t, P1 is lower priority
  3. If P1 has more + (wildcard) segments, P1 is lower priority
  4. If P1 is shorter, it is lower priority
  5. If P1 is smaller lexicographically, it is lower priority

I feel a bit silly asking but can anyone provide an example where rule 5 would come into play? My understanding at this point is that it’s just capitalization, e.g. secret/FOO is lower priority than secret/foo.


secret* wins.

1 Like

Yep cool, as I thought then. Thanks for confirming :smiley: