KodeKloud Notes

Vault Policies are the foundation of access control in HashiCorp Vault. This guide covers the key concepts you need for Objective 2 of the Vault Certified Associate exam, including default behaviors, capabilities, protected paths, and advanced customization.

1. Vault Policy Fundamentals

Vault policies are declarative, path-based rules that grant or deny access. All paths default to deny—if no policy explicitly allows an action, it is not permitted.

Path-based rules control access at granular levels.
Two built-in policies exist by default:
Policy Description
root Unrestricted access; bound to the root token.
default Automatically applied to non-root tokens; can be disabled.
To explore default permissions:
1. Start a Dev server (vault server -dev).
2. Retrieve policies with vault policy read default.
3. Inspect allowed paths and capabilities.

Policy	Description
root	Unrestricted access; bound to the root token.
default	Automatically applied to non-root tokens; can be disabled.

The image provides exam tips related to understanding default policy permissions, capabilities like CRUD, and the difference between "create" and "update" actions. It includes a decorative pixelated border and a cartoon character at the bottom right.

2. Key Capabilities in Vault Policies

Vault supports a defined set of capabilities. Understanding each is critical for writing precise policies.

Capability	Description	Example Usage
create	Write a new secret or resource	`path "secret/data/foo" { capabilities = ["create"] }`
read	Retrieve data	`capabilities = ["read"]`
update	Modify an existing secret or resource	`capabilities = ["update"]`
delete	Remove data or resource	`capabilities = ["delete"]`
list	Enumerate keys or subpaths	`capabilities = ["list"]`
sudo	Perform privileged operations on an endpoint	`capabilities = ["sudo"]`
deny	Explicitly deny access	`capabilities = ["deny"]`

Note

write is not a valid capability. Use create for resources that don’t exist and update for modifying existing ones.

3. Root-Protected Paths

Some Vault endpoints require the root policy. While you don’t need to memorize every path, be familiar with common protected endpoints:

sys/policies/acl/*
sys/license
sys/shutdown
sys/health

Review the Vault API references to recognize which operations are gated.

The image provides exam tips related to understanding root-protected paths and customizing policies, including using specific symbols and templating options. It includes a link for further learning and features a small illustration of a person in sunglasses.

4. Policy Customization Techniques

Advanced policy authorship often uses globbing and templating to handle dynamic paths:

Globbing
- *: matches zero or more characters
- +: matches any one of the listed characters

Templating

Insert runtime variables in paths:

path "identity/entity/name/{{entity.name}}/alias" {
  capabilities = ["create", "read"]
}

Conclusion

To excel on Objective 2 of the Vault Certified Associate exam:

Verify foundational policy behavior in a dev Vault instance.
Memorize the set of valid capabilities (CRUD, list, sudo, deny).
Recognize key root-protected endpoints.
Practice globbing and templating for dynamic policy definitions.

Good luck, and happy vaulting!

Links and References

Watch Video

Watch video content