Create ACL policy in Vault and Create User with that Policy

vault-policy-sample.sh

#!/bin/bash
# vault server -dev -dev-root-token-id="root"
policy_name=mypolicy

# export VAULT_ADDR='http://127.0.0.1:8200';
# pre-validation
vault secrets list
vault policy list

# add policy
cat <<EOF | vault policy write ${policy_name} -

path "secret/data/training_*" {
   capabilities = ["create", "read"]
}

path "secret/data/+/apikey" {
   capabilities = ["create", "read", "update", "delete"]
}

EOF

#post-Validation
vault policy read base ${policy_name}



# Create User (token) with the created policy 

vault token create -policy="${policy_name}" \
    -format=json | jq -r ".auth.client_token" > /tmp/token.txt
# Post-validation: user with attached policy    
vault token capabilities $(cat /tmp/token.txt) secret/data/training_dev

    
# Login with the created user 
vault login $(cat /tmp/token.txt)


# Validation

echo It must FAIL
vault kv put secret/apikey key="my_api_key"

echo it must SUCCESS
vault kv put secret/training_test password="p@ssw0rd"
# validation
vault kv get secret/training_test

echo it must FAIL because path of Vault follows RADIX tree : https://en.wikipedia.org/wiki/Radix_tree
vault kv put secret/training_ year="2018"





# clean up

rm -f /tmp/token.txt