Creating ACL on Hashicorp Vault

acl_vault

# vault policy-write <policyname> production.hcl
# vault token-create -display-name="Optional Display Name" -ttl=0 -no-default-policy -policy="<policyname>"

production.hcl

path "sys/*" {
    policy = "deny"
}

path "secret/production/*" {
    policy = "write"
}

path "secret/*" {
    policy = "deny"
}

path "auth/token/lookup-self" {
    policy = "read"
}

token_with_newpolicy

~ # vault write secret/production value=world
Error writing data to secret/production: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/secret/production
Code: 403. Errors:

* permission denied
~ # vault write secret/hello value=world
Error writing data to secret/hello: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/secret/hello
Code: 403. Errors:

* permission denied

~ # vault write secret/production/hello value=world
Success! Data written to: secret/production/hello
~ # vault write secret/production/tier1/hello value=world
Success! Data written to: secret/production/tier1/hello
~ # vault read secret/production/hello
Key             	Value
---             	-----
refresh_interval	768h0m0s
value           	world

~ # vault read secret/production/tier1/hello
Key             	Value
---             	-----
refresh_interval	768h0m0s
value           	world