diff --git a/controller.nomad.hcl b/controller.nomad.hcl
index a71c69e..0f1112a 100644
--- a/controller.nomad.hcl
+++ b/controller.nomad.hcl
@@ -58,7 +58,7 @@ _EOF
       # Load vault root CA into the trust store
       template {
         data = <<-EOF
-          {{ with secret "[[ $.consul.suffix ]]pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
+          {{ with secret "[[ $.vault.pki.issuer ]]/cert/ca" }}{{ .Data.certificate }}{{ end }}
         EOF
         destination = "local/ca.crt"
       }
diff --git a/example/controller.nomad.hcl b/example/controller.nomad.hcl
index 2b5da1e..6f06aa2 100644
--- a/example/controller.nomad.hcl
+++ b/example/controller.nomad.hcl
@@ -66,7 +66,7 @@ httpConnection:
   protocol: https
   host: truenas.example.org:443
   port: 443
-  apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
+  apiKey: {{ with secret "/kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
   allowInsecure: false
   apiVersion: 2
 
@@ -106,7 +106,7 @@ _EOF
       # Load vault root CA into the trust store
       template {
         data        = <<-EOF
-          {{ with secret "pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
+          {{ with secret "/pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
         EOF
         destination = "local/ca.crt"
       }
@@ -188,7 +188,7 @@ httpConnection:
   protocol: https
   host: truenas.example.org:443
   port: 443
-  apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
+  apiKey: {{ with secret "/kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
   allowInsecure: false
   apiVersion: 2
 
@@ -219,7 +219,7 @@ _EOF
       # Load vault root CA into the trust store
       template {
         data        = <<-EOF
-          {{ with secret "pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
+          {{ with secret "/pki/root/cert/ca" }}{{ .Data.certificate }}{{ end }}
         EOF
         destination = "local/ca.crt"
       }
diff --git a/example/vault/policies/democratic-csi.hcl b/example/vault/policies/democratic-csi.hcl
index 668c07b..23fbf0e 100644
--- a/example/vault/policies/democratic-csi.hcl
+++ b/example/vault/policies/democratic-csi.hcl
@@ -1,6 +1,12 @@
 
 # Access the vault KV (v2) store
-path "kv/data/service/democratic-csi" {
+path "/kv/data/service/democratic-csi" {
+  capabilities = ["read"]
+}
+path "/kv/metadata/service/democratic-csi/*" {
+  capabilities = ["read", "list"]
+}
+path "/kv/data/service/democratic-csi/*" {
   capabilities = ["read"]
 }
 
diff --git a/templates/iscsi/controller.yml.tpl b/templates/iscsi/controller.yml.tpl
index b79d6e5..16bd8b7 100644
--- a/templates/iscsi/controller.yml.tpl
+++ b/templates/iscsi/controller.yml.tpl
@@ -7,7 +7,7 @@ httpConnection:
   protocol: [[ $url.Scheme ]]
   host: [[ $url.Host ]]
   port: [[ $url.Port ]]
-  apiKey: {{ with secret "[[ .vault.kv.path ]]" }}{{ .Data.data.truenas_api_key }}{{ end }}
+  apiKey: {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.truenas_api_key }}{{ end }}
   allowInsecure: [[ .democratic_csi.controller.truenas.api.insecure | ternary "true" "false" ]]
   apiVersion: 2
 
diff --git a/templates/nfs/controller.yml.tpl b/templates/nfs/controller.yml.tpl
index 4be9410..8455e83 100644
--- a/templates/nfs/controller.yml.tpl
+++ b/templates/nfs/controller.yml.tpl
@@ -7,7 +7,7 @@ httpConnection:
   protocol: [[ $url.Scheme ]]
   host: [[ $url.Host ]]
   port: [[ $url.Port ]]
-  apiKey: {{ with secret "[[ .vault.kv.path ]]" }}{{ .Data.data.truenas_api_key }}{{ end }}
+  apiKey: {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.truenas_api_key }}{{ end }}
   allowInsecure: [[ .democratic_csi.controller.truenas.api.insecure | ternary "true" "false" ]]
   apiVersion: 2