Policies

A policy in Vault is a JSON document that specifies the permissions and capabilities associated with a specific path or set of paths within Vault's hierarchical key-value store. It defines which operations, such as read, write, delete, or list, can be performed on specific paths and the conditions under which those actions are allowed.

Policies are written in HashiCorp Configuration Language (HCL) and can be created, managed, and assigned to users or groups within Vault. They can be applied at various levels, including globally, for specific paths, or even on a per-secret basis, allowing for fine-grained access control.

When a user or client authenticates with Vault, their identity is mapped to one or more policies. The policies associated with the user determine their level of access to secrets and operations within Vault. If a user tries to perform an action that is not allowed by their assigned policies, Vault will deny the request.

By using policies, administrators can enforce the principle of least privilege, granting users or clients access only to the resources they require. This helps enhance security and ensures that sensitive data stored in Vault is protected from unauthorized access.

Example Policy (written in hcl)

policies/demo.hcl

path "demo/data/*" {
  capabilities = ["read", "create", "update", "list"]
}

path "demo/metadata/*" {
  capabilities = ["read", "create", "update", "list"]
}

Load into terraform resource

resource "vault_policy" "policy" {
  name   = "policy"
  policy = file("${path.module}/policies/demo.hcl")
}

Example Policy (written in hcl)​

Load into terraform resource​

Example Policy (written in hcl)

Load into terraform resource