Policies

Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault. In this step, you will create a policy and then edit it to support new requirements.

This step assumes you started the Vault server and signed in with the root token in the Web UI step.

Create a policy

Select Policies from the menu

This view is the policy index and displays all the policies. The default policy and the root policy were created when Vault was initialized.

Select the Create ACL policy action.

Enter webapp in the Name field.

Enter this policy in the Policy field.

# Read the configuration secret example
path "secret/config" {
    capabilities = ["read"]
}

# List secrets engines
path "sys/mounts" {
    capabilities = ["read"]
}

Choose the Create policy action at the bottom of the view.

The policy is created and this view displays its name and contents.

Select the ACL Policies navigation from within the view.

The view returns to the policy index. The new webapp policy is displayed.

Filtering

When there are a lot of policies, the Filter policies field can narrow the displayed policies down to a manageable list or the exact policy.

Edit a policy

The webapp policy needs to be updated to support a new secrets engine and its paths required and capabilities.

Select the webapp policy title from within the policy index view.
This view displays the policy with its definition. The read-only policy field displays the entire contents of the policy.
Select the Edit policy action from within the view.

This view is the policy edit view. The Policy field provides a text editor preloaded with the policy definition.

Select the Policy text editor from within the view.

The editor enables navigation through the arrow keys.

Add this policy to after the other content in the Policy field.

# Enable Transit secrets engine
path "sys/mounts/transit" {
    capabilities = ["create", "update"]
}

# Manage Transit secrets engine keys
path "transit/keys" {
    capabilities = ["list"]
}
path "transit/keys/*" {
    capabilities = ["create", "list", "read", "update"]
}
path "transit/keys/+/config" {
    capabilities = ["create", "update"]
}

# Encrypt with any Transit secrets engine key
path "transit/encrypt/*" {
    capabilities = ["create", "update"]
}

# Decrypt with any Transit secrets engine key
path "transit/decrypt/*" {
    capabilities = ["create", "update"]
}

Editing

The editor supports common keyboard shortcuts for undo and redo. You can also reset every change back its original by choosing Cancel.

The updated policy needs to be saved.

Choose the Save action at the bottom of the view.

The policy is updated. The view returns to the policy and its updated definition.

PreviousAccess Control NextUse Cases

Last updated 6 months ago

# Enable Transit secrets engine path "sys/mounts/transit" { capabilities = ["create", "update"] } # Manage Transit secrets engine keys path "transit/keys" { capabilities = ["list"] } path "transit/keys/*" { capabilities = ["create", "list", "read", "update"] } path "transit/keys/+/config" { capabilities = ["create", "update"] } # Encrypt with any Transit secrets engine key path "transit/encrypt/*" { capabilities = ["create", "update"] } # Decrypt with any Transit secrets engine key path "transit/decrypt/*" { capabilities = ["create", "update"] }