From aca9f4c5aba17cfdc91ab6318d60c6954769e1e1 Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Sun, 18 Jan 2026 12:01:42 +0100 Subject: [PATCH] Add policy files for Vault: admin, app_role, and identity policies --- policies/README.md | 12 +++++++ policies/admin_policy.hcl | 51 ++++++++++++++++++++++++++++++ policies/app_role_admin.hcl | 19 +++++++++++ policies/identity_admin_policy.hcl | 8 +++++ 4 files changed, 90 insertions(+) create mode 100644 policies/README.md create mode 100644 policies/admin_policy.hcl create mode 100644 policies/app_role_admin.hcl create mode 100644 policies/identity_admin_policy.hcl diff --git a/policies/README.md b/policies/README.md new file mode 100644 index 0000000..5ad8f9d --- /dev/null +++ b/policies/README.md @@ -0,0 +1,12 @@ +# HashiCorp Vault Policies + +## Policy Commands + +```bash +vault policy list +vault policy read +vault policy write +vault policy delete +``` + +Format a policy file using `vault policy fmt `. diff --git a/policies/admin_policy.hcl b/policies/admin_policy.hcl new file mode 100644 index 0000000..a0f469e --- /dev/null +++ b/policies/admin_policy.hcl @@ -0,0 +1,51 @@ +# Read system health check +path "sys/health" { + capabilities = ["read", "sudo"] +} + +# Create and manage ACL policies broadly across Vault + +# List existing policies +path "sys/policies/acl" { + capabilities = ["list"] +} + +# Create and manage ACL policies +path "sys/policies/acl/*" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} + +# Enable and manage authentication methods broadly across Vault + +# Manage auth methods broadly across Vault +path "auth/*" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} + +# Create, update, and delete auth methods +path "sys/auth/*" { + capabilities = ["create", "update", "delete", "sudo"] +} + +# List auth methods +path "sys/auth" { + capabilities = ["read"] +} + +# Enable and manage the key/value secrets engine at `secret/` path + +# List, create, update, and delete key/value secrets +# path "secret/*" +# { +# capabilities = ["create", "read", "update", "delete", "list", "sudo"] +# } + +# Manage secrets engines +path "sys/mounts/*" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} + +# List existing secrets engines. +path "sys/mounts" { + capabilities = ["read"] +} diff --git a/policies/app_role_admin.hcl b/policies/app_role_admin.hcl new file mode 100644 index 0000000..a05adb3 --- /dev/null +++ b/policies/app_role_admin.hcl @@ -0,0 +1,19 @@ +# Mount the AppRole auth method +path "sys/auth/approle" { + capabilities = [ "create", "read", "update", "delete", "sudo" ] +} + +# Configure the AppRole auth method +path "sys/auth/approle/*" { + capabilities = [ "create", "read", "update", "delete" ] +} + +# Create and manage roles +path "auth/approle/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +# Write ACL policies +path "sys/policies/acl/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} diff --git a/policies/identity_admin_policy.hcl b/policies/identity_admin_policy.hcl new file mode 100644 index 0000000..3edb6ea --- /dev/null +++ b/policies/identity_admin_policy.hcl @@ -0,0 +1,8 @@ +# Add identity admin role to the token +path "identity/*" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} + +path "identity/entity/*/name" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +}