DEV Community

Cover image for What are Vault User Policies & how to create them? Hashicorp Vault
Tharun Shiv
Tharun Shiv

Posted on


What are Vault User Policies & how to create them? Hashicorp Vault

Hashicorp Vault

Hashicorp Vault is an opensource software from Hashicorp. Vault is used to manage secrets.

What is a secret?

Secrets can be considered as anything that one uses to authenticate, authorize themselves. Secrets are also pieces of information that are private to any user.

What are policies?

Policies help you create rules that define access to various secrets. We can create policies that allow certain level access like create access, update access, read access, delete access and so on. We then assign this policy to a particular authentication mechanism of a user. This user will have only those access mentioned in the policies attached to his credentials. This way, Vault makes sure that we provide minimal and only necessary access to Vault stakeholders.

# export variables that will be used by Vault when commands 
# are run in the current terminal session
export VAULT_ADDR=''
export VAULT_TOKEN='s.hfAJfADfj...'

# check Vault server status
vault status

# login into Vault
vault login

# view current logged in token information
vault token lookup

# create policies and respective tokens
vim secret-user-policy.hcl
path "secret/data/*" {  capabilities = ["read"] }

vim secret-admin-policy.hcl
path "secret/data/*" {  capabilities = ["read", "create", "update"] }

# command to write policy
vault policy write secret-user-policy secret-user-policy.hcl
vault policy write secret-admin-policy secret-admin-policy.hcl

# read policy
vault policy read secret-user-policy
vault policy read secret-admin-policy

# list policies
vault policy list

# create token
vault token create -format=json -policy="secret-user-policy"
vault token create -format=json -policy="secret-admin-policy"
Enter fullscreen mode Exit fullscreen mode

The hcl file contains the path and capabilities mainly. The path is used to mention which capabilities the enclosed ones are applicable to. Paths allow us to use regular expressions in them to match various Vault paths. The capabilities include:

  1. read: Similar to the GET HTTP method, allows reading the data at the given path.
  2. create: Similar to the POST & PUT HTTP Method, allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.
  3. update: Similar to the POST & PUT HTTP Method, allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.
  4. delete: Similar to the DELETE HTTP Method, allows deleting the data at the given path.
  5. list: Allows listing values at the given path.
  6. sudo: Allows access to paths that are root-protected. Tokens are not permitted to interact with these paths unless they have the sudo capability
  7. deny: Disallows access. This always takes precedence regardless of any other defined capabilities, including sudo.


Testing the policies

Now testing the policies

# now open two tmux sessions for each type of user to test policies
tmux new -s demo # and split screens for admin and user

# at each of the tmux window
export VAULT_ADDR=''
export VAULT_TOKEN='s.hfAJfADfj...'

vault login # enter repective tokens
vault token lookup # to view current logged in token information

# on admin window & notice versions
vault kv put secret/data/mysql username=root

# add multiple keys in a single command 
vault kv put secret/data/mysql username=root password=root

# prevent recording the value of the token in terminal history
vault kv put secret/data/googlecloud token=-

# read from a json file
vault kv put secret/data/googlecloud @apitoken.json

# add multiple keys in a single command 
vault kv put secret/data/aerospike \
     username=root \
     password=root \
     tlsname=securecert \

# read secret
vault kv get secret/data/mysql

vault kv put secret/data/mysql username=root # Will not work since this user does not have privileges

vault kv get secret/data/mysql
Enter fullscreen mode Exit fullscreen mode

Thus, we have seen what goes into creating a policy, how to create one, and have also tested the policies to see the difference between them.

More trending articles on Hashicorp Vault:

What is Vault? Why do we need it?

Set up a Vault Dev and Production server in 5 minutes:

Written by,

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

Tharun Shiv

You can find more articles here:

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you

Top comments (0)

Advice For Junior Developers

Advice from a career of 15+ years for new and beginner developers just getting started on their journey.