Vault token not able to “access/generate” appRole secret-id

Hello,
We have vault version v1.14.2 installed behind a loadBalancer (several nodes form a cluster)

We followed the recommended Vault appRole usage pattern to retrieve a wrapped secret-id

we created the policy as described (my-policy)

path “auth/approle/role/+/secret*” {
capabilities = [ “create”, “read”, “update” ]
min_wrapping_ttl = “100s”
max_wrapping_ttl = “300s”
}
And associated to the token we created with the following command

./vault token create -policy=my-policy -ttl=0

With the token received, we try to access the custom role secret-id, but this always gives us an error.
Code 403 or “error”: “1 error occurred:\n\t* permission denied\n\n” (in audit log)

If look the capacity of the token on the asked path, it’s OK
vault token capabilities hvs.mytoken…. auth/approle/role/my-role/secret-id
we receive the following output.

create, read, update

We’ve tried to access the resource trough cli, curl but the result is always the same

The audit log gives us “policy_results”: {
“allowed”: false
What are we doing wrong? What can we do more to find the problem ?

Best regards,

David

Try this policy, notice the *:

path "auth/approle/role/*/secret-id" {
    capabilities = [ "create", "update" ]
    min_wrapping_ttl = “100s”
    max_wrapping_ttl = “300s”
}

Thank you MrBaseball34 for your help.
But unfortunately this wasn’t the solution.

I had to add the following to my minimalistic policy in order to have it woking:

path “auth/approle/*” {
capabilities = [ “update” ]
}

so my policy is as follow:

path “auth/approle/*” {
capabilities = [ “update” ]
}
path “auth/approle/role/MyApprole/secret-id” {
capabilities = [ “create”, “update”, “list” ]
min_wrapping_ttl = “100s”
max_wrapping_ttl = “300s”
}

Best regards,

David

Glad you got it worked out.