Debug School

Navuru SrinivasaRao
Navuru SrinivasaRao

Posted on

What is Policy and Process of creating sample Policy?


Everything in Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.
Policies are deny by default, so an empty policy grants no permission in the system.

Each path must define one or more capabilities which provide fine-grained control over permitted (or denied) operations. As shown in the examples above, capabilities are always specified as a list of strings, even if there is only one capability.

To determine the capabilities needed to perform a specific operation, the -output-policy flag can be added to the CLI subcommand. For an example, refer to the Print Policy Requirements document section.

The list of capabilities include the following:

create (POST/PUT) - Allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.

read (GET) - Allows reading the data at the given path.

update (POST/PUT) - Allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.

patch (PATCH) - Allows partial updates to the data at a given path.

delete (DELETE) - Allows deleting the data at the given path.

list (LIST) - Allows listing values at the given path. Note that the keys returned by a list operation are not filtered by policies. Do not encode sensitive information in key names. Not all backends support listing.
Enter fullscreen mode Exit fullscreen mode

vault token create -policy=accounting
vault policy write accounting accounting-fixed.hcl

Top comments (0)