diff --git a/ops/vault/cfg/policies/server.hcl b/ops/vault/cfg/policies/server.hcl
index dfaca4b6e2..d10913954a 100644
--- a/ops/vault/cfg/policies/server.hcl
+++ b/ops/vault/cfg/policies/server.hcl
@@ -10,6 +10,14 @@ path "kv/metadata/server" {
   capabilities = ["list"]
 }
 
+# Can read secrets for their own Wireguard keys.
+path "kv/data/apps/wireguard/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+path "kv/metadata/apps/wireguard/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+
 path "kv/metadata/+" {
   capabilities = ["list"]
 }