Skip to main content
Vault Policies are the foundation of access control in HashiCorp Vault. This guide covers the key concepts you need for Objective 2 of the Vault Certified Associate exam, including default behaviors, capabilities, protected paths, and advanced customization.

1. Vault Policy Fundamentals

Vault policies are declarative, path-based rules that grant or deny access. All paths default to deny—if no policy explicitly allows an action, it is not permitted.
  • Path-based rules control access at granular levels.
  • Two built-in policies exist by default:
    PolicyDescription
    rootUnrestricted access; bound to the root token.
    defaultAutomatically applied to non-root tokens; can be disabled.
  • To explore default permissions:
    1. Start a Dev server (vault server -dev).
    2. Retrieve policies with vault policy read default.
    3. Inspect allowed paths and capabilities.
The image provides exam tips related to understanding default policy permissions, capabilities like CRUD, and the difference between "create" and "update" actions. It includes a decorative pixelated border and a cartoon character at the bottom right.

2. Key Capabilities in Vault Policies

Vault supports a defined set of capabilities. Understanding each is critical for writing precise policies.
CapabilityDescriptionExample Usage
createWrite a new secret or resourcepath "secret/data/foo" { capabilities = ["create"] }
readRetrieve datacapabilities = ["read"]
updateModify an existing secret or resourcecapabilities = ["update"]
deleteRemove data or resourcecapabilities = ["delete"]
listEnumerate keys or subpathscapabilities = ["list"]
sudoPerform privileged operations on an endpointcapabilities = ["sudo"]
denyExplicitly deny accesscapabilities = ["deny"]
write is not a valid capability. Use create for resources that don’t exist and update for modifying existing ones.

3. Root-Protected Paths

Some Vault endpoints require the root policy. While you don’t need to memorize every path, be familiar with common protected endpoints:
  • sys/policies/acl/*
  • sys/license
  • sys/shutdown
  • sys/health
Review the Vault API references to recognize which operations are gated.
The image provides exam tips related to understanding root-protected paths and customizing policies, including using specific symbols and templating options. It includes a link for further learning and features a small illustration of a person in sunglasses.

4. Policy Customization Techniques

Advanced policy authorship often uses globbing and templating to handle dynamic paths:
  • Globbing
    • *: matches zero or more characters
    • +: matches any one of the listed characters
  • Templating
    • Insert runtime variables in paths: 
      path "identity/entity/name/{{entity.name}}/alias" {
  capabilities = ["create", "read"]
}

Conclusion

To excel on Objective 2 of the Vault Certified Associate exam:
  1. Verify foundational policy behavior in a dev Vault instance.
  2. Memorize the set of valid capabilities (CRUD, list, sudo, deny).
  3. Recognize key root-protected endpoints.
  4. Practice globbing and templating for dynamic policy definitions.
Good luck, and happy vaulting!

Watch Video