Reference for policy format

Hello,

I have been browsing the Vault documentation in search of a reference document for the format of policies, without success. Especially, I am looking for a list of capabilities, and whether a wildcard can be used to say “all capabilities”.

Many thanks for your help!

Strangely, there isn’t a reference document for this important syntax.

Policies | Vault by HashiCorp is the closest, but it’s more of a guide than a reference.

It does include the complete list of capabilities, in this section: Policies | Vault by HashiCorp

There is no wildcard. All capabilities would be written as ["read", "list", "create", "update", "delete", "sudo"] - do not include sudo unless you genuinely want to authorize Vault administrative actions.

Extra parts of the policy syntax that only apply to Vault Enterprise are documented at Vault Enterprise Control Groups | Vault by HashiCorp.

Thanks @maxb . I did see this list of capabilities, but the documentation does not say that it is exhaustive…

I believe I can use wildcards in paths, is that correct? Will this match any path:

path "*" {
  ...
}

? Thanks!

I can’t find the word “exhaustive” in that page? The list there was complete up to Vault 1.8 …

A new "patch" capability was added in Vault 1.9 to control the new support for using HTTP PATCH on KVs, and it seems that hasn’t been added to the documentation.

Wildcards are covered in the previously linked document.

path "*" { ... }

works as you might expect, but beware that with policy like:

path "*" { ... all the permissions ... }

path "foobar" { ... just read ... }

the more specific block takes precedence, and writes to foobar will be denied.

Great, thanks a lot @maxb !

@jeffsanicola has put together a very nice vault policy guide you can find on github

That’s great! Thanks a lot @aram !