What’s the difference between the following (policy vs. capabilities)?
“secret/applications/foo/*”: {
“policy”: “read”
},
“secret/applications/foo/*”: {
“capabilities”: [“read”]
},
What’s the difference between the following (policy vs. capabilities)?
“secret/applications/foo/*”: {
“policy”: “read”
},
“secret/applications/foo/*”: {
“capabilities”: [“read”]
},
Hi J.D.,
The former is an older policy syntax which was deprecated in Vault 0.5.0. With the old-style syntax, "policy": "read"
actually grants "capabilities": ["read", "list"]
(see vault/policy.go).
Capabilities allow for more fine-grained control when constructing policies.