policy

The policy command groups subcommands for interacting with policies. Users can write, read, and list policies in Vault.

For more information, please see the policy documentation.

Examples

List all enabled policies:

$ vault policy list

Create a policy named "my-policy" from contents on local disk:

$ vault policy write my-policy ./my-policy.hcl

Delete the policy named my-policy:

$ vault policy delete my-policy

Usage

Usage: vault policy <subcommand> [options] [args]

  # ...

Subcommands:
    delete    Deletes a policy by name
    list      Lists the installed policies
    read      Prints the contents of a policy
    write     Uploads a named policy from a file

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.

policy delete

The policy delete command deletes the policy named NAME in the Vault server. Once the policy is deleted, all tokens associated with the policy are affected immediately.

Note that it is not possible to delete the "default" or "root" policies. These are built-in policies.

Examples

Delete the policy named "my-policy":

$ vault policy delete my-policy

Usage

There are no flags beyond the standard set of flags included on all commands.

policy fmt

The policy fmt formats a local policy file to the policy specification. This command will overwrite the file at the given PATH with the properly-formatted policy file contents.

Examples

Format the local file "my-policy.hcl":

$ vault policy fmt my-policy.hcl

Usage

There are no flags beyond the standard set of flags included on all commands.

policy list

The policy list command Lists the names of the policies that are installed on the Vault server.

Examples

List the available policies:

$ vault policy list
default
root

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

• -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

policy read

The policy read command prints the contents and metadata of the Vault policy named NAME. If the policy does not exist, an error is returned.

Examples

Read the policy named "my-policy":

$ vault policy read my-policy

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

• -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

policy write

The policy write command uploads a policy with name NAME from the contents of a local file PATH or stdin. If PATH is "-", the policy is read from stdin. Otherwise, it is loaded from the file at the given path on the local disk.

For details on the policy syntax, please see the policy documentation.

Examples

Upload a policy named "my-policy" from "/tmp/policy.hcl" on the local disk:

$ vault policy write my-policy /tmp/policy.hcl

Upload a policy from stdin:

$ cat my-policy.hcl | vault policy write my-policy -

Usage

There are no flags beyond the standard set of flags included on all commands.