vhsm policy

Learn to write, read, list, and delete vHSM policies

The vhsm policy command groups subcommands for interacting with vHSM policies. Users can write, read, list, and delete policies.

Usage

vhsm policy <subcommand> [options] [args]

Subcommands

Subcommand
Description

Deletes a policy by name.

Formats a local policy file.

Lists installed policies.

Prints the contents of a policy.

Uploads a named policy from a file.

vhsm policy delete

Deletes the specified policy from the vHSM server. This action immediately affects all tokens associated with the policy.

Note: The built-in default and root policies cannot be deleted.

Example

vhsm policy delete my-policy

Output

Success! Deleted policy: my-policy

This command does not have additional flags beyond the standard vHSM CLI options.

vhsm policy fmt

Formats a local policy file according to vHSM's policy specification. This command overwrites the existing file.

Example

vhsm policy fmt my-policy.hcl

Output

Success! Formatted policy: my-policy.hcl

This command does not have additional flags beyond the standard vHSM CLI options.

vhsm policy list

Lists the names of all installed policies in the vHSM server.

Example

vhsm policy list

Output:

default
my-policy
root

Options

Flag
Type
Default
Description

-format

string

table

Output format: table, json, or yaml. Can also be set via VAULT_FORMAT.

vhsm policy read

Displays the contents and metadata of a specified policy. Returns an error if the policy does not exist.

Example

vhsm policy read my-policy

Output

# Define policy name and capabilities
path "secret/data/my-app/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Grant read-only access to another secret path
path "secret/data/config" {
  capabilities = ["read", "list"]
}

# Allow access to check authentication status
path "auth/token/lookup-self" {
  capabilities = ["read"]
}

Options

Flag
Type
Default
Description

-format

string

table

Output format: table, json, or yaml. Can also be set via VAULT_FORMAT.


vhsm policy write

Uploads a policy from a file or standard input.

Examples

Upload a policy from a local file:

vhsm policy write my-policy /tmp/policy.hcl

Upload a policy from stdin:

cat my-policy.hcl | vault policy write my-policy 

Output

Success! Uploaded policy: my-policy

This command does not have additional flags beyond the standard Vault CLI options.


Last updated

Was this helpful?