# vhsm policy The `vhsm policy` command groups subcommands for interacting with vHSM policies. Users can write, read, list, and delete policies. ### **Usage** ```sh vhsm policy [options] [args] ``` #### **Subcommands** | Subcommand | Description | | -------------------------------- | ----------------------------------- | | [`delete`](#vault-policy-delete) | Deletes a policy by name. | | [`fmt`](#vault-policy-fmt) | Formats a local policy file. | | [`list`](#vault-policy-list) | Lists installed policies. | | [`read`](#vault-policy-read) | Prints the contents of a policy. | | [`write`](#vault-policy-write) | Uploads a named policy from a file. | ### **`vhsm policy delete`** Deletes the specified policy from the vHSM server. This action immediately affects all tokens associated with the policy. {% hint style="info" %} **Note:** The built-in `default` and `root` policies cannot be deleted. {% endhint %} **Example** ```sh vhsm policy delete my-policy ``` **Output** ``` Success! Deleted policy: my-policy ``` This command does not have additional flags beyond the standard vHSM CLI options. ### **`vhsm policy fmt`** Formats a local policy file according to vHSM's policy specification. This command overwrites the existing file. **Example** ```sh vhsm policy fmt my-policy.hcl ``` **Output** ``` Success! Formatted policy: my-policy.hcl ``` This command does not have additional flags beyond the standard vHSM CLI options. ### **`vhsm policy list`** Lists the names of all installed policies in the vHSM server. **Example** ```sh vhsm policy list ``` **Output:** ``` default my-policy root ``` **Options** | Flag | Type | Default | Description | | --------- | ------ | ------- | ------------------------------------------------------------------------------ | | `-format` | string | `table` | Output format: `table`, `json`, or `yaml`. Can also be set via `VAULT_FORMAT`. | ### **`vhsm policy read`** Displays the contents and metadata of a specified policy. Returns an error if the policy does not exist. **Example** ```sh vhsm policy read my-policy ``` **Output** ``` # Define policy name and capabilities path "secret/data/my-app/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Grant read-only access to another secret path path "secret/data/config" { capabilities = ["read", "list"] } # Allow access to check authentication status path "auth/token/lookup-self" { capabilities = ["read"] } ``` **Options** | Flag | Type | Default | Description | | --------- | ------ | ------- | ------------------------------------------------------------------------------ | | `-format` | string | `table` | Output format: `table`, `json`, or `yaml`. Can also be set via `VAULT_FORMAT`. | *** ### **`vhsm policy write`** Uploads a policy from a file or standard input. **Examples** Upload a policy from a local file: ```sh vhsm policy write my-policy /tmp/policy.hcl ``` Upload a policy from `stdin`: ```sh cat my-policy.hcl | vault policy write my-policy ``` **Output** ``` Success! Uploaded policy: my-policy ``` This command does not have additional flags beyond the standard Vault CLI options. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/authentication-and-authorization/vhsm-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.