vhsm policy

The vhsm policy command groups subcommands for interacting with vHSM policies. Users can write, read, list, and delete policies.

Usage

vhsm policy <subcommand> [options] [args]

Subcommands

vhsm policy delete

Deletes the specified policy from the vHSM server. This action immediately affects all tokens associated with the policy.

Example

vhsm policy delete my-policy

Output

Success! Deleted policy: my-policy

This command does not have additional flags beyond the standard vHSM CLI options.

vhsm policy fmt

Formats a local policy file according to vHSM's policy specification. This command overwrites the existing file.

Example

vhsm policy fmt my-policy.hcl

Output

Success! Formatted policy: my-policy.hcl

This command does not have additional flags beyond the standard vHSM CLI options.

vhsm policy list

Lists the names of all installed policies in the vHSM server.

Example

vhsm policy list

Output:

default
my-policy
root

Options

vhsm policy read

Displays the contents and metadata of a specified policy. Returns an error if the policy does not exist.

Example

vhsm policy read my-policy

Output

# Define policy name and capabilities
path "secret/data/my-app/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Grant read-only access to another secret path
path "secret/data/config" {
  capabilities = ["read", "list"]
}

# Allow access to check authentication status
path "auth/token/lookup-self" {
  capabilities = ["read"]
}

Options

vhsm policy write

Uploads a policy from a file or standard input.

Examples

Upload a policy from a local file:

vhsm policy write my-policy /tmp/policy.hcl

Upload a policy from stdin:

cat my-policy.hcl | vault policy write my-policy 

Output

Success! Uploaded policy: my-policy

This command does not have additional flags beyond the standard Vault CLI options.