1.8 KiB
HashiCorp Vault Policies
Defualt Policy
The default policy is created automatically when Vault is initialized, but can be modified as needed. It provides basic access to Vault features for authenticated users.
To restore the default policy to the newest default version, launch a development Vault server and copy the default policy from there:
vault policy read default > default_policy.hcl
vault policy write default default_policy.hcl
Policy Commands
vault policy list
vault policy read <policy-name>
vault policy write <policy-name> <policy-file.hcl>
vault policy delete <policy-name>
Format a policy file using vault policy fmt <policy-file.hcl>.
Display required capabilities for a given path with:
vault <anycommand> -output-policy
Auditing
To enable auditing, use the following command:
vault audit enable file file_path=/var/log/vault_audit.log mode=0640
Configure Alloy to read the audit logs from the specified file path.
Add the following configuration to your Alloy setup:
loki.source.file "vault_audit_log" {
targets = [
{"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info"},
]
forward_to = [loki.write.default.receiver]
tail_from_end = true
}
Note:
tail_from_end = trueensures that only new log entries are read, preventing the ingestion of old lines/entries. It is (probably) required because the audit log file does not contain timestamps and only entry guids.
Check auditing configuration with:
vault audit list -detailed
To disable auditing, use:
vault audit disable file
References
- RSoP Tool - hvresult computes the Resultant Set of Policy (RSoP) for Hashicorp Vault ACLs.