terraform-vault/policies/sys/sys_mounts_admin.hcl

# Allow access to manage secret engines (mount, unmount, update)
path "sys/mounts/*" {
  capabilities = ["create", "update", "delete", "read", "list"]
}

# Allow tuning existing secret engines
path "sys/mounts-tune/*" {
  capabilities = ["update", "read"]
}

# Allow reaing and listing of enabled secret engines
path "sys/mounts" {
  capabilities = ["read", "list"]
}