Let's use "my-new-policy" for your policy name. Copy the policy below to try it out:

path "secret/foo" {
  capabilities = ["read"]
}