vault-config/policies/kv-writer/kv-writer.hcl

# Allow listing secret parent-child connections (as in UI hierarchy)
path "kv/metadata/*"
{
  capabilities = ["list"]
}

# Allow creation of new secrets and writing new versions for existing ones
path "kv/data/*"
{
  capabilities = ["create", "update"]
}

# Allow viewing secret metadata such as whether or not versions of a secrets
# exist anf if so how many.
# path "kv/metadata/*"
# {
#   capabilities = ["read"]
# }

# Allow seeing/retrieving plain-text secrets
# path "kv/data/*"
# {
#   capabilities = ["read"]
# }