diff --git a/auth_approle_rpmbuilder.tf b/auth_approle_rpmbuilder.tf
index 9a44d0a..609189c 100644
--- a/auth_approle_rpmbuilder.tf
+++ b/auth_approle_rpmbuilder.tf
@@ -2,8 +2,8 @@ resource "vault_approle_auth_backend_role" "rpmbuilder" {
   role_name      = "rpmbuilder"
   bind_secret_id = false
   token_policies = [
-    "kv/service/github/neoloc/tokens/read-only-token",
-    "kv/service/gitea/unkinben/tokens/read-only-packages",
+    "kv/service/github/neoloc/tokens/read-only-token/read",
+    "kv/service/gitea/unkinben/tokens/read-only-packages/read",
   ]
   token_ttl     = 30
   token_max_ttl = 30