HashiCorp Certified: Vault Associate Certification
Create Vault Policies
Exam Tips for Objective 2
Vault Policies are the foundation of access control in HashiCorp Vault. This guide covers the key concepts you need for Objective 2 of the Vault Certified Associate exam, including default behaviors, capabilities, protected paths, and advanced customization.
1. Vault Policy Fundamentals
Vault policies are declarative, path-based rules that grant or deny access. All paths default to deny
—if no policy explicitly allows an action, it is not permitted.
Path-based rules control access at granular levels.
Two built-in policies exist by default:
Policy Description root Unrestricted access; bound to the root token. default Automatically applied to non-root tokens; can be disabled. To explore default permissions:
- Start a Dev server (
vault server -dev
). - Retrieve policies with
vault policy read default
. - Inspect allowed paths and capabilities.
- Start a Dev server (
2. Key Capabilities in Vault Policies
Vault supports a defined set of capabilities. Understanding each is critical for writing precise policies.
Capability | Description | Example Usage |
---|---|---|
create | Write a new secret or resource | path "secret/data/foo" { capabilities = ["create"] } |
read | Retrieve data | capabilities = ["read"] |
update | Modify an existing secret or resource | capabilities = ["update"] |
delete | Remove data or resource | capabilities = ["delete"] |
list | Enumerate keys or subpaths | capabilities = ["list"] |
sudo | Perform privileged operations on an endpoint | capabilities = ["sudo"] |
deny | Explicitly deny access | capabilities = ["deny"] |
Note
write
is not a valid capability. Use create for resources that don’t exist and update for modifying existing ones.
3. Root-Protected Paths
Some Vault endpoints require the root policy. While you don’t need to memorize every path, be familiar with common protected endpoints:
sys/policies/acl/*
sys/license
sys/shutdown
sys/health
Review the Vault API references to recognize which operations are gated.
4. Policy Customization Techniques
Advanced policy authorship often uses globbing and templating to handle dynamic paths:
- Globbing
*
: matches zero or more characters+
: matches any one of the listed characters
- Templating
- Insert runtime variables in paths:
path "identity/entity/name/{{entity.name}}/alias" { capabilities = ["create", "read"] }
- Insert runtime variables in paths:
Conclusion
To excel on Objective 2 of the Vault Certified Associate exam:
- Verify foundational policy behavior in a dev Vault instance.
- Memorize the set of valid capabilities (CRUD, list, sudo, deny).
- Recognize key root-protected endpoints.
- Practice globbing and templating for dynamic policy definitions.
Good luck, and happy vaulting!
Links and References
Watch Video
Watch video content