Managing Policies using the CLI

Vault policies define fine-grained authorization rules for accessing secrets and operations. Using Vault’s policy namespace in the CLI, you can list, read, create/update, delete, and format policy files.

For detailed syntax, see the Vault CLI Policy Commands.

1. Listing Policies

To view all policies currently loaded into Vault:

vault policy list

Sample output:

admin-policy
default
root

2. Writing (Creating or Updating) a Policy

Create a new policy or update an existing one by specifying the policy name and the path to your HCL file:

vault policy write admin-policy /tmp/admin.hcl

Expected output:

Success! Uploaded policy: admin-policy

Steps breakdown:

1. vault – invokes the Vault CLI
2. policy – selects the policy management namespace
3. write – subcommand for creation or update
4. admin-policy – policy name
5. /tmp/admin.hcl – HCL file path

3. Reading a Policy

To inspect the rules defined in a policy:

vault policy read admin-policy

This outputs the HCL block that defines all allowed paths and capabilities for admin-policy.

4. Deleting a Policy

Remove a policy when it’s no longer needed:

vault policy delete admin-policy

Expected output:

Success! Deleted policy: admin-policy

5. Formatting a Policy File

If your HCL file has inconsistent whitespace or indentation, fmt will rewrite it in a canonical form:

vault policy fmt /tmp/admin.hcl

This command overwrites /tmp/admin.hcl with a properly formatted version.

Example: Creating a webapp Policy

Given an HCL file /tmp/webapp.hcl, create a new policy named webapp:

vault policy write webapp /tmp/webapp.hcl

You should see:

Success! Uploaded policy: webapp

Now, running vault policy list will include webapp:

vault policy list
# → admin-policy
# → default
# → root
# → webapp

Links and References

• Vault CLI Documentation
• Vault Policy Guide
• HCL Language Reference