This assumes the following has already been done.
- Hashicorp Vault has been installed
- Hashicorp Vault has been initialized
- Hashicorp Vault has been unsealed
- You have logged into the vault
Policies list what can and cannot be done. For example, to allow or now allow a user to create a secret. The vault policy list command can be used to list the installed policies.
~]# vault policy list
default
root
Let's create a file named /tmp/policy.hcl that contains the following, which basically gives full permission to secrets.
path "secret/data/*" {
capabilities = ["list", "read", "create", "update", "delete"]
}
And then used the vault policy write command to create the policy.
~]$ vault policy write my-policy /tmp/policy.hcl
Success! Uploaded policy: my-policy
Be aware that if you are running Hashicorp Vault in a Docker container, you will need to create the /tmp/policy.hcl file in the Docker container, not on the Docker host system.
~]$ sudo docker exec hashicorp_vault vault policy write my-policy /tmp/policy.hcl
Success! Uploaded policy: my-policy
And now the vault policy list command should include the policy you created.
~]$ vault policy list
default
my-policy
root
And the vault policy read command can be used to show that the policy contains the contents of your /tmp/policy.hcl file.
~]$ vault policy read my-policy
path "secret/data/*" {
capabilities = ["list", "read", "create", "update", "delete"]
}
Did you find this article helpful?
If so, consider buying me a coffee over at