Import Policies/ACLs


I have this situation;

A productive HashiVault free, Storage “file”, only keys

And other, cloned system, enterprise, “raft” keys, ACLs and policies.

How can I get the keys from the productive system into the cloned system without loosing the ACLs and policies

Any clue?



I am sorry, but your post is quite muddled and vague. You will need to explain better what you are asking about.

What do you mean, “only keys”?

What do you mean, “cloned”? Clearly it’s not an exact clone if it contains different data?

What do you mean, ““raft” keys”?

The word “key” can mean so many different things - please clarify.

What do you mean, “ACLs and policies”? Vault has policies, which are formally called “ACL policies” when there is a need to differentiate them from Sentinel policies, but it does not have ACLs and policies as two separate things.

Very little clue what you are referring to so far, but hopefully you can clear that up some!


we have a self-managed open source installation with secrets only and no policies or LDAP groups.
This installation uses “file” as storage.

This installation was copied to test policies and LDAP groups.
This installation uses “raft” as storage and has been upgraded to Enterprise.

In the meantime, the Q’n’D installation has been filled with more secrets.

Now I want to merge these two installations to get the secrets from the first installation and the policies and groups from the second installation.

I hope now it becomes more understandable



The only way to manipulate secrets, policies, and LDAP group configuration is via the Vault HTTP APIs.

I assume all your policies and group configurations are already stored in some configuration as code system anyway, as I can’t imagine any organization big enough to pay for Vault Enterprise, not doing that?

In which case, I’d just replace the new “raft” Vault with a fresh migration of data from the old “file” Vault, and then re-upload the policy and group configuration from whatever external source of truth you have.

Thanks for the hint.