Vault Policies Path

Common Vault Paths
Understanding a Secrets Engine Path
Root-Protected Paths
Further Reading

Vault policies rely on hierarchical paths to control access. Everything in Vault is organized by path, reinforcing the core concepts of Vault’s architecture and pathing model. By understanding how paths work, you can craft precise policies that grant only the permissions your applications and operators need.

Common Vault Paths

Path	Type	Description
sys/policy	System	Manage policies
auth/ldap/groups/developers	Auth method	LDAP group binding for “developers”
database/roles/prod-db	Secrets engine	Role definition for a production database
sys/rekey	System-critical	Re-encrypt data keys during rekey operations

Paths prefixed with sys/ map to Vault’s internal systems. For example, sys/rekey is used to rotate and re-encrypt data encryption keys.

Understanding a Secrets Engine Path

When you enable the KV (Key-Value) secrets engine v2 at the mount point secrets/, all data operations use the data/ prefix. For instance, storing Ansible credentials under a nested hierarchy might look like this:

secrets/data/platform/aws/tools/ansible

This path breaks down as:

Segment	Description
secrets/	KV-v2 mount point
data/	Data API prefix for KV-v2
platform/aws/tools/ansible	Custom, application-specific hierarchy

Each segment after data/ can contain key/value pairs. Always reference the complete path when reading, writing, or deleting secrets.

The image explains the structure of a path used in a secrets management system, highlighting different segments for mounting, required elements, higher-level paths, and key/value storage.

Root-Protected Paths

Certain Vault endpoints are root-protected and require either a root token or sudo capabilities to access. These paths control critical cluster operations.

Path	Action
sys/rotate	Rotate the master encryption key
sys/seal	Manually seal (lock) the Vault
sys/step-down	Force the current leader to step down

Root-protected paths expose powerful operations. Grant sudo only to trusted administrators.

The image is a slide titled "Vault Policies - Path," explaining root-protected paths in Vault, requiring a root token or sudo capability, with examples like creating an orphan token and rotating the encryption key. It features a lock icon and a cartoon character.

To grant sudo capabilities on these critical paths, include the following in your HCL policy:

path "sys/rotate" {
  capabilities = ["sudo"]
}

path "sys/seal" {
  capabilities = ["sudo"]
}

path "sys/step-down" {
  capabilities = ["sudo"]
}

Use this snippet to ensure only authorized operators can perform high-privilege Vault operations.

Watch Video

Anatomy of a Vault Policy

Vault Policies Capabilities

⌘I

Introduction

Introduction to Vault

Learning the Vault Architecture

Installing Vault

Compare Authentication Methods

Create Vault Policies

Assess Vault Tokens

Compare and Configure Secrets Engines

Vault Agent

Vault Replication

Vault Policies Path

Common Vault Paths

Understanding a Secrets Engine Path

Root-Protected Paths

Further Reading

Watch Video

Introduction

Introduction to Vault

Learning the Vault Architecture

Installing Vault

Compare Authentication Methods

Create Vault Policies

Assess Vault Tokens

Compare and Configure Secrets Engines

Vault Agent

Vault Replication

​Common Vault Paths

​Understanding a Secrets Engine Path

​Root-Protected Paths

​Further Reading

Watch Video

Common Vault Paths

Understanding a Secrets Engine Path

Root-Protected Paths

Further Reading