Wildcards
* --> can only be at the end
+ --> can be in between path
------------------------------------------------------
vault login
vault policy list
vault policy help
——————————————————
cat /etc/vault.d/admin-policy.hcl
#############################
# ### Vault Policy - Admin ####
# #############################
# permit access to all sys backend configurations to administer Vault itself
# note that some sys/ paths require sudo
path "sys/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# manage Vault auth methods
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage Vault identities
path "identity/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
——————————————————
vault policy write vault-admin /etc/vault.d/admin-policy.hcl
Success! Uploaded policy: vault-admin
——————————————————
vault policy read app-policy
path "kv/data/apps/*" {
capabilities = ["read","create","update","delete","list"]
}
path "kv/metadata/*" {
capabilities = ["read","create","update","list"]
}
path "kv/data/apps/hr/*" {
capabilities = ["deny"]
}
——————————————————
vault token create -policy=app-policy
Key Value
--- -----
token hvs.CAESIGh01KavxJJn75FvrIv3lLMYuogr_am4mzKGhpPDWCSKGh4KHGh2cy5VRzN3bjlPaEFTNHAwcHhUWUQ2elZMMWg
token_accessor XJozdFwyYE0yjfCea4Okibt9
token_duration 768h
token_renewable true
token_policies ["app-policy" "default"]
identity_policies []
------------------------------------------------------export VAULT_TOKEN=$(cat /tmp/token_file)
——————————————————
vault kv get kv/apps/frontend
==== Secret Path ====
kv/data/apps/frontend
======= Metadata =======
Key Value
--- -----
created_time 2026-04-14T06:12:48.898828883Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
api 39dnwm2odm2aqcnsl203k
——————————————————
export -n VAULT_TOKEN
vault policy read hr-policy
——————————————————
vault login -method=userpass username=thomas
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIKu8e82XozADFH5wVC89JWCPjU5E9a-16-43yWpIZ8vPGh4KHGh2cy43RWNrZVZsSFlJMWJFSThYUUJMWmI5Wks
token_accessor 6FrBWbMJIyrzFC3f1ZUWHbet
token_duration 768h
token_renewable true
token_policies ["default" "hr-policy"]
identity_policies []
policies ["default" "hr-policy"]
token_meta_username thomas
——————————————————
vault kv get kv/apps/hr/employee/109
======== Secret Path ========
kv/data/apps/hr/employee/109
======= Metadata =======
Key Value
--- -----
created_time 2026-04-14T06:12:49.3277166Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
id 103839829
——————————————————
vault kv put kv/apps/hr/employee/001 id=402948100
======== Secret Path ========
kv/data/apps/hr/employee/001
======= Metadata =======
Key Value
--- -----
created_time 2026-04-14T06:51:51.370934633Z
custom_metadata
deletion_time n/a
destroyed false
version 2