Best practices for "admin" policy?

Hello! Are there best practices for “admin” policy?

I use this policy:

path "*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]

It’s good?

Check this one:

1 Like

Is there a simpler policy? I have an admin policy that started like the one linked by Wolfsrudel, but it didn’t provide access to everything. So I kept adding things, until I got to an AppRole that had been created by one of our users, and it specified only “read”, so now I have to manually add a bunch more things.

What I want is a simple policy that simply says: ANYTHING, EVERYTHING complete access.

Is there such a thing?

Here is what I finally came up with. Add into your policy for those who need to become admins this:

path "auth/token/*"
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

Then, after assuming the policy with that line, issue this:

vault login $( vault write -f /auth/token/create-orphan ttl=1h policies=admin \
  | grep '^token   ' | awk '{print $2}' )