Unprivileged user under vault

Question

I'm attempting to configure an unprivileged user within a Vault container. I've followed these steps in the CLI but ultimately encountered a "permission denied" error:

$ vault login <rootToken>
$ cd vault && mkdir policy && cd policy && vi  unprivileged_policy.hcl 

The unprivileged_policy.hcl file contains the following:

path "kv/myapp" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

After setting up the policy, I proceeded to update the approle and the user:

$ vault policy write unprivileged_policy unprivileged_policy.hcl
$ vault auth enable approle
$ vault write auth/approle/role/app policies="unprivileged_policy"

Next, I retrieved the role ID to generate a token for the unprivileged user:

$ vault read auth/approle/role/app/role-id
$ vault write -f auth/approle/role/app/secret-id
$ vault write auth/approle/login role_id=<role_id> secret_id=<secret_id>

Checking the capabilities with:

$ vault read auth/approle/role/app

yields:

Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
policies                   [unprivileged_policy.hcl]
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [unprivileged_policy.hcl]
token_ttl                  0s
token_type                 default

I used the unprivileged token for vault login (generated by auth/approle/login). However, when I try to create the secret with this command:

vault kv put kv/myapp/ secret="mysecret"

I receive the following error:

Error making API request.

URL: GET http://0.0.0.0:8200/v1/sys/internal/ui/mounts/kv/myapp
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "kv/myapp/"

I attempted to set up an unprivileged user in Vault and assign a policy that allows CRUD operations on a specific path. I expected the unprivileged user to be able to create a secret at kv/myapp/. Instead, I received a 403 error indicating the user did not have the necessary permissions, despite the policy being seemingly correctly configured.