sys/capabilities does not modify your policy. It checks a token against a path to see what the resulting permissions are for that token with the policies it has.
You have to use sys/policies/acl to read and write your policy … there is no “update” AFAIK.
I feel like you’re just throwing things against the wall to see what happens rather than learning how it works. I highly recommend just going through the Vault Tutorials - HashiCorp Learn lessons to get the basics.
You don’t “use” the policy. You generate a token with that policy.
You can lookup the token to see what policies it is using with: vault token lookup
I’m not the administrator of our Vault and the teams has no time right now.
I use Vault by API from my Ansible playbook for :
Get user and password secret [GET]
Create or update secret [GET]
Generate password with this URL [/gen/password] and json file with [length/digits/symbols] [POST]
I want to improve my Vault Ansible Role for “Generated password” because with this path to generate a password /gen/password, There are symbols that cause me problems.
So i try to create a policy with a list of char/number/symbol that i want/validate.
I have succesfully create the password policy but i can’t use it with a non vault administrator.
I understand the ACL is used to configure permission on a path.
So i try to configure [READ] permission on the path of my password policy to allowed [GET] method for a non vault administrator.
The built-in password policies and associated generator are different than the /gen/password API, which, if I’m not mistaken, is actually a third party plugin called vault-secrets-gen. This plugin does not use Vault’s password policies but rather you can pass in various parameters to control which characters are used. It’s not as granular as the built-in password policies, however.
Also, a couple notes on password policies:
Listing of policies is not available in Vault prior to 1.10. Currently you’ll need to know what your policy name is to update, read, or delete it
To create a new policy you’ll have to create a policy document and upload the doc when creating the policy vault write sys/policies/password/my_password_policy policy=@/path/to/my_policy.hcl
To generate a password using this policy you would run vault read sys/policies/password/my_password_policy/generate
Of course you may need to make ACL policy adjustments to allow using the various API endpoints.
But you should also take @aram’s advice to more thoroughly read through the docs and get to know Vault. It may take a little time to get familiar with things but once it clicks it should be pretty easy to find your way around.