Use Vault Policy Password created by administrator


I have suceesfully created a policy for generated password in VAULT.

When i use this policy to generate a password with a administrator token, it works

[root@srv-test tmp]# curl \
   --header "X-Vault-Token: s.HIUYHUOUHxKpDTHIU87QJS" \

But when i tried to use this policy with a non vault administrator token, i get this message
Permission denied

Can you help me please ?

Thanks for your help,


What are you doing in “trying” please provide the command the full error


The test with a token from an non administrator of Vault :slight_smile:

[root@srv-test  ~]# curl \
>    --header "X-Vault-Token: s.Jio786jhkjhoihilnIx6i" \
>    https://vault-srv:8200/v1/sys/policies/password/pwd_test_policy/generate
{"errors":["1 error occurred:\n\t* permission denied\n\n"]}


That’s probably just a missing policy in your token’s assigned policy.

With a admin token (or root token)

# vault token capabilities s.Jio786jhkjhoihilnIx6i sys/policies/password/pwd_test_policy/

Which means you need to add a policy statement:

path "sys/policies/password/pwd_test_policy/*" {
   capabilities = [ "read" ]

Is there a way to do that by API ?
Thank you for your help,


I found this in the documentation but i don’t know how to build the json fil to configure read on my policy password.


$ vault token capabilities -output-curl-string s.Jio786jhkjhoihilnIx6i sys/policies/password/pwd_test_policy/
curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"path":"sys/policies/password/pwd_test_policy/","token":"s.Jio786jhkjhoihilnIx6i"}' https://vault:8200/v1/sys/capabilities

I don’t understand your command.
I don’t see READ (for use) permission to use the policy that generate password.


sys/capabilities does not modify your policy. It checks a token against a path to see what the resulting permissions are for that token with the policies it has.

You have to use sys/policies/acl to read and write your policy … there is no “update” AFAIK.


Thank you for your explanations.

I have created an ACL policy for my password policy path like this.

Content of json file for the ACL policy creation :

  "policy": "path \"sys/policies/password/pwd_test_policy/\"\n{\n  capabilities = [\"list\"]\n}"

Creation of the ACL policy :

curl \
    --header "X-Vault-Token: s.dfgdgdgfgIOYT86887HK" \
    --request POST \
    --data @test_vault_policy.json \

Display the ACL Policy :

curl \
    --header "X-Vault-Token: s.dfgdgdgfgIOYT86887HK" \

{"request_id":"ebcb09ae-dc9b-d3bb-20d1-8ed1c12f3b15","lease_id":"","renewable":false,"lease_duration":0,"data":{"name":"pwd_test_policy","policy":"path \"sys/policies/password/pwd_test_policy/\"\n{\n capabilities = [\"list\"]\n}"},"wrap_info":null,"warnings":null,"auth":null}

When i tried to use my password policy with a non administrator token, i always get a permission denied.

curl \
    --header "X-Vault-Token: s.HJKhuihUIHO87678HHL" \

{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

Thanks for your help,


I feel like you’re just throwing things against the wall to see what happens rather than learning how it works. I highly recommend just going through the Vault Tutorials - HashiCorp Learn lessons to get the basics.

You don’t “use” the policy. You generate a token with that policy.

You can lookup the token to see what policies it is using with: vault token lookup


Yes i am in the wall :).

I’m not the administrator of our Vault and the teams has no time right now.

I use Vault by API from my Ansible playbook for :

  • Get user and password secret [GET]
  • Create or update secret [GET]
  • Generate password with this URL [/gen/password] and json file with [length/digits/symbols] [POST]

I want to improve my Vault Ansible Role for “Generated password” because with this path to generate a password /gen/password, There are symbols that cause me problems.

So i try to create a policy with a list of char/number/symbol that i want/validate.

I have succesfully create the password policy but i can’t use it with a non vault administrator.

I understand the ACL is used to configure permission on a path.

So i try to configure [READ] permission on the path of my password policy to allowed [GET] method for a non vault administrator.

Sorry for your time,


You might be conflating two different things.

The built-in password policies and associated generator are different than the /gen/password API, which, if I’m not mistaken, is actually a third party plugin called vault-secrets-gen. This plugin does not use Vault’s password policies but rather you can pass in various parameters to control which characters are used. It’s not as granular as the built-in password policies, however.

Also, a couple notes on password policies:

  • Listing of policies is not available in Vault prior to 1.10. Currently you’ll need to know what your policy name is to update, read, or delete it
  • To create a new policy you’ll have to create a policy document and upload the doc when creating the policy
    vault write sys/policies/password/my_password_policy policy=@/path/to/my_policy.hcl
  • To generate a password using this policy you would run
    vault read sys/policies/password/my_password_policy/generate

Of course you may need to make ACL policy adjustments to allow using the various API endpoints.

Example policy:

# Manage password policies & generate passwords
path "/sys/policies/password/*" {
  capabilities = ["create", "read", "update", "delete"]

But you should also take @aram’s advice to more thoroughly read through the docs and get to know Vault. It may take a little time to get familiar with things but once it clicks it should be pretty easy to find your way around.

Hope this helps.

Hi everyone,

Thanks for your advices.

I went to see the team responsible of our Vault.
We created an ACL policy and give right for our LDAP group to use it.

Now with a non administrator token, i can use my password policy.

Thanks all,