This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed
• You have logged into the vault

Policies list what can and cannot be done. For example, to allow or not allow a user to create a secret.

A role contains one or more policies. Let's say you have enabled approle.

• Enable approle authentication using REST API
• Enable approle authentication using the vault auth enable command

The vault list auth/<auth method>/role command can be used to list the roles that have been created for the auth method. If no roles have been created, something like this should be returned.

~]$ vault list auth/approle/role
No value found at auth/approle/role

And let's say you have a policy named my-policy with the following.

~]$ vault policy read my-policy
path "secret/data/*" {
  capabilities = ["list", "read", "create", "update", "delete"]
}

In this scenario, the vault write command can be used to create a role named my-role.

vault write auth/approle/role/my-role \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40 \
policies="default","my-policy"

Now, the vault list auth/<auth method>/role command should contain the role.

~]$ vault list auth/approle/role
Keys
----
my-role

And the vault read command can be used to see that the role has my-policy.

]$ vault read auth/approle/role/my-role
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
policies                   [default, my-policy]
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default, my-policy]
token_ttl                  0s
token_type                 default