Vault管理员策略不允许创建新策略

我正在尝试遵循标准模式：root-admin-Hashicorp Vault用户。

[基本上：root创建一个管理策略。然后，我的管理员需要能够为新用户创建受限策略。

但是，即使拥有对/sys的所有访问权限，我的管理员也仍然无法创建新策略。

这是我的管理员政策：

path "pki/issue/admin" { capabilities = ["create", "update"]}
path "pki/roles/" {capabilities = ["create", "update"]}
path "pki/issue/" {capabilities = ["create", "update"]}
path "auth/token/*" {capabilities = ["create", "read", "update", "delete"]}
path "auth/token/lookup-self" {capabilities = ["read"]}
path "auth/token/renew-self" {capabilities = ["update"]}
path "auth/token/revoke-self" {capabilities = ["update"]}
path "auth/token/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*" {
  capabilities = ["create", "read", "update", "delete", "sudo"]
}
path "sys/policy" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policy/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

$ curl -H 'Authorization: Bearer admintoken' http://127.0.0.1:8200/v1/auth/token/lookup-self | jq .data.policies
[
  "admin"
]

$ curl -H 'Authorization: Bearer adminsecret' http://127.0.0.1:8200/v1/sys/policy/agent01 -d '{"name": "test", "policy": "path \"auth/token/lookup-self\" { capabilities = [\"read\"]}"}'
{"errors":["permission denied"]}

我在这里错过了一些必不可少的东西吗？我宁愿避免将根令牌散布到后端服务器上，而只是为新用户创建基本策略。