HashiCorp Certified: Vault Associate Certification
Create Vault Policies
Managing Policies using the CLI
Vault policies define fine-grained authorization rules for accessing secrets and operations. Using Vault’s policy
namespace in the CLI, you can list, read, create/update, delete, and format policy files.
Subcommand | Description |
---|---|
list | List all existing policies |
read | Display the HCL contents of a policy |
write | Create or update a policy from an HCL file |
delete | Remove a policy from Vault |
fmt | Canonicalize an HCL policy file’s format |
For detailed syntax, see the Vault CLI Policy Commands.
1. Listing Policies
To view all policies currently loaded into Vault:
vault policy list
Sample output:
admin-policy
default
root
Note
Vault always provides a default
and root
policy. Custom policies appear alongside these.
2. Writing (Creating or Updating) a Policy
Create a new policy or update an existing one by specifying the policy name and the path to your HCL file:
vault policy write admin-policy /tmp/admin.hcl
Expected output:
Success! Uploaded policy: admin-policy
Steps breakdown:
vault
– invokes the Vault CLIpolicy
– selects the policy management namespacewrite
– subcommand for creation or updateadmin-policy
– policy name/tmp/admin.hcl
– HCL file path
Note
Ensure the HCL file path is correct and accessible. Relative or absolute paths both work.
3. Reading a Policy
To inspect the rules defined in a policy:
vault policy read admin-policy
This outputs the HCL block that defines all allowed paths and capabilities for admin-policy
.
4. Deleting a Policy
Remove a policy when it’s no longer needed:
vault policy delete admin-policy
Expected output:
Success! Deleted policy: admin-policy
Warning
Deleting a policy is irreversible. Make sure it’s no longer in use by any Vault tokens or roles.
5. Formatting a Policy File
If your HCL file has inconsistent whitespace or indentation, fmt
will rewrite it in a canonical form:
vault policy fmt /tmp/admin.hcl
This command overwrites /tmp/admin.hcl
with a properly formatted version.
Example: Creating a webapp
Policy
Given an HCL file /tmp/webapp.hcl
, create a new policy named webapp
:
vault policy write webapp /tmp/webapp.hcl
You should see:
Success! Uploaded policy: webapp
Now, running vault policy list
will include webapp
:
vault policy list
# → admin-policy
# → default
# → root
# → webapp
Links and References
Watch Video
Watch video content