HashiCorp Certified: Vault Associate Certification

Create Vault Policies

Managing Policies using the CLI

Vault policies define fine-grained authorization rules for accessing secrets and operations. Using Vault’s policy namespace in the CLI, you can list, read, create/update, delete, and format policy files.

SubcommandDescription
listList all existing policies
readDisplay the HCL contents of a policy
writeCreate or update a policy from an HCL file
deleteRemove a policy from Vault
fmtCanonicalize an HCL policy file’s format

For detailed syntax, see the Vault CLI Policy Commands.

1. Listing Policies

To view all policies currently loaded into Vault:

vault policy list

Sample output:

admin-policy
default
root

Note

Vault always provides a default and root policy. Custom policies appear alongside these.

2. Writing (Creating or Updating) a Policy

Create a new policy or update an existing one by specifying the policy name and the path to your HCL file:

vault policy write admin-policy /tmp/admin.hcl

Expected output:

Success! Uploaded policy: admin-policy

Steps breakdown:

  1. vault – invokes the Vault CLI
  2. policy – selects the policy management namespace
  3. write – subcommand for creation or update
  4. admin-policy – policy name
  5. /tmp/admin.hcl – HCL file path

Note

Ensure the HCL file path is correct and accessible. Relative or absolute paths both work.

3. Reading a Policy

To inspect the rules defined in a policy:

vault policy read admin-policy

This outputs the HCL block that defines all allowed paths and capabilities for admin-policy.

4. Deleting a Policy

Remove a policy when it’s no longer needed:

vault policy delete admin-policy

Expected output:

Success! Deleted policy: admin-policy

Warning

Deleting a policy is irreversible. Make sure it’s no longer in use by any Vault tokens or roles.

5. Formatting a Policy File

If your HCL file has inconsistent whitespace or indentation, fmt will rewrite it in a canonical form:

vault policy fmt /tmp/admin.hcl

This command overwrites /tmp/admin.hcl with a properly formatted version.

Example: Creating a webapp Policy

Given an HCL file /tmp/webapp.hcl, create a new policy named webapp:

vault policy write webapp /tmp/webapp.hcl

You should see:

Success! Uploaded policy: webapp

Now, running vault policy list will include webapp:

vault policy list
# → admin-policy
# → default
# → root
# → webapp

Watch Video

Watch video content

Previous
Intro to Vault Policies