How to clean up unused vault policies

Hi team,

I was wondering how can I clean up unused policies? is there a nice way to do this?

Kindly guide :slight_smile:

is there a way to identify that a policy has no tokens associated and not used by anyone?

Not easily. You basically have to write a script that walks through every part of the Vault API where policy names could be referenced, and build the information about which ones are.

You can pretty much just walk through the enabled/configured auth/* to see what policies are being used. Donโ€™t forget groups policies. It gets a lot more difficult in Enterprise and namespaces but itโ€™s doable.

This has been an enhancement request from us to Hashicorp for a while now. Keep in mind that a unused policy may not be a delete-able policy. You do end up creating tokens with policies that are unattached to an auth so just becareful about assuming anything not attached can be deleted.