Check my solution above and also the docs for https://www.vaultproject.io/docs/secrets/kv/kv-v2 under “ACL Rules”. Basically in the kv-v2 engine the first node after the engine name is a prefix (e.g. data, metadata, delete, undelete, destroy) rather than the first node of the secret path. So your second policy path would need to be kv/+/teams/myteam/* if you wanted to allow full access to “kv/teams/myteam/*” secret paths.
1 Like