Wildcard in policies


I have following policy in vault kv version 2:

When I execute CLI commands:

in UI, I saw following:

I wasn’t expecting permission issue when putting secrets at “secret/dc” or “secret/dc/”. Given a wildcard (dc/*) and valid token, Shouldn’t I be able to put secrets right at right at dc/ aswell? I thought I had access to everything under “dc/”.

Appreciate help.


You do. But dc is not under dc/.

Vault’s * wildcard is a simple “string starts with given prefix” match, and dc is not a string starting with dc/.

Additionally, all “file-like” Vault operations (all of them apart from list) will automatically trim off any trailing slash - and the only “directory-like” operation (list) will automatically append a trailing slash to the path if not already present.