HashiCorp Certified: Vault Associate Certification
Create Vault Policies
Anatomy of a Vault Policy
Vault implements path-based access control. A policy is a set of rules, where each rule associates:
- A target path pattern
- A list of capabilities (permissions) for that path
You can combine multiple rules within a single policy to enforce the principle of least privilege.
Policy Template
path "<path-pattern>" {
capabilities = ["<permission1>", "<permission2>", ...]
}
path "<another-path>" {
capabilities = ["<permissionA>", "<permissionB>", ...]
}
Note
Path patterns support wildcards (*, ?) and must match the Vault mount and engine.
For details, see the Vault Policy Rules documentation.
Common Capabilities
| Capability | Description |
|---|---|
| create | Write new data or secret |
| read | Retrieve existing data or secret |
| update | Modify existing data or secret |
| delete | Remove data or secret |
| list | Enumerate keys or names under a path |
| sudo | Allow operations on behalf of another user |
Concrete Example
Below is a policy that combines KV secrets, policy administration, and dynamic AWS credentials:
path "kv/data/apps/jenkins" {
capabilities = ["read", "update", "delete"]
}
path "sys/policies/*" {
capabilities = ["create", "update", "list", "delete"]
}
path "aws/creds/web-app" {
capabilities = ["read"]
}
Rule Breakdown
kv/data/apps/jenkins
Grantsread,update, anddeletepermissions on the Jenkins application data in the KV Secrets Engine.sys/policies/*
Allows managing all policies (*wildcard) withcreate,update,list, anddelete.aws/creds/web-app
Permitsreadaccess to dynamic AWS credentials from theweb-approle in the AWS Secrets Engine.
Warning
Overly broad path patterns (e.g., *) can expose more resources than intended. Always validate wildcard usage to avoid privilege escalation.
By composing targeted rules, Vault policies help you grant only the permissions required for each team or application, adhering to security best practices.
Links and References
Watch Video
Watch video content