docs(config): Add a policy that permits writing but not reading secrets

policies/role-kv-writer/kv-writer.hcl

@@ -0,0 +1,24 @@
+# Allow listing secret parent-child connections (as in UI hierarchy)
+path "kv/metadata/*"
+{
+  capabilities = ["list"]
+}
+
+# Allow creation of new secrets and writing new versions for existing ones
+path "kv/data/*"
+{
+  capabilities = ["create", "update"]
+}
+
+# Allow viewing secret metadata such as whether or not versions of a secrets
+# exist anf if so how many.
+# path "kv/metadata/*"
+# {
+#   capabilities = ["read"]
+# }
+
+# Allow seeing/retrieving plain-text secrets
+# path "kv/data/*"
+# {
+#   capabilities = ["read"]
+# }