Vault: Can't configure policy for signing certificates

Environment:

• Vault Version: Vault v0.9.6 ('7e1fbde40afee241f81ef08700e7987d86fc7242')
• Operating System/Architecture: Linux 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Vault Config File:
Vault is running in dev mode, like vault server -dev

Startup Log Output:

==> Vault server started! Log data will stream in below:

2018/04/13 12:48:12.142298 [INFO ] core: security barrier not initialized
2018/04/13 12:48:12.143247 [INFO ] core: security barrier initialized: shares=1 threshold=1
2018/04/13 12:48:12.145012 [INFO ] core: post-unseal setup starting
2018/04/13 12:48:12.179363 [INFO ] core: loaded wrapping token key
2018/04/13 12:48:12.180004 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018/04/13 12:48:12.183407 [INFO ] core: successfully mounted backend: type=kv path=secret/
2018/04/13 12:48:12.183467 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018/04/13 12:48:12.184667 [INFO ] core: successfully mounted backend: type=system path=sys/
2018/04/13 12:48:12.186485 [INFO ] core: successfully mounted backend: type=identity path=identity/
2018/04/13 12:48:12.191951 [INFO ] expiration: restoring leases
2018/04/13 12:48:12.192057 [INFO ] rollback: starting rollback manager
2018/04/13 12:48:12.192882 [INFO ] expiration: lease restore complete
2018/04/13 12:48:12.193211 [INFO ] identity: entities restored
2018/04/13 12:48:12.193238 [INFO ] identity: groups restored
2018/04/13 12:48:12.193259 [INFO ] core: post-unseal setup complete
2018/04/13 12:48:12.193580 [INFO ] core: root token generated
2018/04/13 12:48:12.193587 [INFO ] core: pre-seal teardown starting
2018/04/13 12:48:12.193596 [INFO ] core: cluster listeners not running
2018/04/13 12:48:12.193617 [INFO ] rollback: stopping rollback manager
2018/04/13 12:48:12.193727 [INFO ] core: pre-seal teardown complete
2018/04/13 12:48:12.193899 [INFO ] core: vault is unsealed
2018/04/13 12:48:12.193933 [INFO ] core: post-unseal setup starting
2018/04/13 12:48:12.194039 [INFO ] core: loaded wrapping token key
2018/04/13 12:48:12.194045 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018/04/13 12:48:12.194406 [INFO ] core: successfully mounted backend: type=kv path=secret/
2018/04/13 12:48:12.194605 [INFO ] core: successfully mounted backend: type=system path=sys/
2018/04/13 12:48:12.194919 [INFO ] core: successfully mounted backend: type=identity path=identity/
2018/04/13 12:48:12.194941 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018/04/13 12:48:12.196262 [INFO ] expiration: restoring leases
2018/04/13 12:48:12.196315 [INFO ] rollback: starting rollback manager
2018/04/13 12:48:12.196747 [INFO ] expiration: lease restore complete
2018/04/13 12:48:12.196950 [INFO ] identity: entities restored
2018/04/13 12:48:12.196972 [INFO ] identity: groups restored
2018/04/13 12:48:12.197004 [INFO ] core: post-unseal setup complete

Expected Behavior:
I'm able to configure policy to allow signing CSRs

Actual Behavior:
Can't make non-root token sign CSRs

Steps to Reproduce:
Enable PKI engine:

> vault secrets enable pki
Success! Enabled the pki secrets engine at: pki/

Create role pki-abel for PKI engine

> vault write pki/roles/pki-abel allowed_domains=tests.local allow_subdomains=true key_type=ec key_bits=256 generate_lease=true
Success! Data written to: pki/roles/pki-abel

Create policy to allow pki/sign/pki-abel requests. File is

path "pki/sign/*" {
  capabilities = ["create"]
}

Command

> vault write sys/policy/pki-abel [email protected]    
Success! Data written to: sys/policy/pki-abel

Also for tests create policy to allow to read list of pki/certs, file

path "pki/certs/" {
  capabilities = ["list"]
}

Command

> vault write sys/policy/list-certs [email protected]
Success! Data written to: sys/policy/list-certs

Create root certificate:

> vault write pki/root/generate/internal \
    common_name=tests.local \  
    ttl=17420h

(prints certificate, success)

Create a token with policies list-certs and pki-abel

> vault token create -policy=list-certs -policy=pki-abel
Key                Value
---                -----
token              4a3e537e-1152-5778-1ec3-e15e6eed992d
token_accessor     375deb59-cf53-23b6-52a4-8fc8a76df1bb
token_duration     768h
token_renewable    true
token_policies     [default list-certs pki-abel]

Grab a token, login, try list certs:

>  vault login token=4a3e537e-1152-5778-1ec3-e15e6eed992d
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                Value
---                -----
token              4a3e537e-1152-5778-1ec3-e15e6eed992d
token_accessor     375deb59-cf53-23b6-52a4-8fc8a76df1bb
token_duration     767h59m8s
token_renewable    true
token_policies     [default list-certs pki-abel]

> vault list pki/certs                                  
Keys
----
25-dc-a0-ed-50-c5-6c-09-42-de-8d-4c-13-75-21-5f-42-7a-5e-b6

Now try to sign CSR:

> curl -X POST --data @csr http://localhost:8200/v1/pki/sign/pki-abel -H "X-Vault-Token: 4a3e537e-1152-5778-1ec3-e15e6eed992d"
{"errors":["permission denied"]}

At the same time, with root token this query works:

> curl -X POST --data @csr http://localhost:8200/v1/pki/sign/pki-abel -H "X-Vault-Token: c81dc7c0-c557-f06c-5232-060a4339812e"
{"errors":["csr contains no data"]}

(okay, it's error, but at least this action is permitted).

I've also tried following policy configurations:

path "pki/*" {
  capabilities = ["create"]
}

```hcl
path "pki/sign/" {
capabilities = ["create"]
}

```hcl
path "pki/sign/pki-abel" {
  capabilities = ["create"]
}

and all these with sudo instead of create , and no one of them works as I expect, I still get 403.
Am I doing something wrong?