diff --git a/vault/policy_store.go b/vault/policy_store.go
index 0b42b429dc..18b9004ced 100644
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@@ -300,6 +300,10 @@ path "cubbyhole" {
 path "sys/capabilities-self" {
     capabilities = ["update"]
 }
+
+path "sys/renew/*" {
+    capabilities = ["update"]
+}
 `)
 	if err != nil {
 		return errwrap.Wrapf("error parsing default policy: {{err}}", err)