[Vault] The policy for create and read keys only

I have a secret named secret/test and a token associated with the policy test-policy
I would like to modify that policy to make the token can only create and read keys in the KV without allowing updating them.

My current policy is as below. It can help me to create, read and even update the old keys

path "secret/data/test" {
  capabilities = ["read", "update"]

I’m new in Vault so hope anyone can help me to resolve this problem.

Just remove “update”?

So how can I create a new key if removing the update capality?