Which of the following Vault policies will allow a Vault client to read a secret stored at secrets/applications/app01/api_key?

Which of the following Vault policies will allow a Vault client to read a secret stored at secrets/applications/app01/api_key?
A . path "secrets/applications/+/api_*" {
capabilities = ["read"]
}
B . path "secrets/applications/" {
capabilities = ["read"]
allowed_parameters = {
"certificate" = []
}
}
C . path "secrets/*" {
capabilities = ["list"]
}
D . path "secrets/applications/app01/api_key" {
capabilities = ["update", "list"]
}

View Answer

Answer: A

Explanation:

Wildcards and path segments can be used to allow access to a broader set of secrets rather than having to call out each individual secret itself. None of the other policies will allow a client to actually read the data stored at the path secrets/applications/app01/api_key