This question requires identifying a policy that permits reading the secret at secrets/applications/app01/api_key. Vault policies use paths and capabilities to control access. Let’s evaluate:
A: path "secrets/applications/" { capabilities = ["read"] allowed_parameters = { "certificate" = [] } }This policy allows reading at secrets/applications/, but not deeper paths like secrets/applications/app01/api_key. The allowed_parameters restriction is irrelevant for reading secrets. Incorrect.
B: path "secrets/*" { capabilities = ["list"] }The list capability allows listing secrets under secrets/, but not reading their contents. Reading requires the read capability. Incorrect.
C: path "secrets/applications/+/api_*" { capabilities = ["read"] }The + wildcard matches one segment (e.g., app01), and api_* matches api_key. This policy grants read access to secrets/applications/app01/api_key. Correct.
D: path "secrets/applications/app01/api_key/*" { capabilities = ["update", "list", "read"] }This policy applies to subpaths under api_key/, not the exact path api_key. It includes read, but the path mismatch makes it incorrect for this specific secret.
Overall Explanation from Vault Docs:
“Wildcards (*, +) allow flexible path matching… read capability is required to retrieve secret data.” Option C uses globbing to precisely target the required path.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit