HashiCorp Vault - methods of writing ACL policies

HashiCorp Vault - methods of writing ACL policies

There are many methods for writing Vault policies. 

This gist was created to collect the most common methods 
such that they can be easily used as references for syntax, 
as well as evaluation for which method suits a particular purpose.

TODO:

- Add complex policy examples
- Add @json.file examples
- Add httpie examples

Terraform.hcl

resource "vault_policy" "example" {
  name   = "basic"
  policy = "${file("policies/basic.hcl")}"
}

# contents of basic.hcl
path "sys/renew/*" {
    capabilities = ["update"]
}

# Allow renewal of token leases
path "auth/token/renew/*" {
    capabilities = ["update"]
}

Using Curl - JSON body

curl \
    --silent \
    --header "X-Vault-Token: root" \
    --request POST \
    --data '{"rules":"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"}' \
    http://127.0.0.1:8200/v1/sys/policy/test
    
    
# read back policy
curl \
    --silent \
    --header "X-Vault-Token: root" \
    --request GET \
    http://127.0.0.1:8200/v1/sys/policy/test | jq '.rules'
"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"

Using Vault CLI - using stdin

echo '
path "secret/foo" {
  capabilities = ["list","read"]
}
path "supersecret/*" {
  capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
  capabilities = ["create", "read"]
}
' | vault policy-write user -

## read policy back
#$ vault policies user

path "secret/foo" {
  capabilities = ["list","read"]
}
path "supersecret/*" {
  capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
  capabilities = ["create", "read"]
}

Using Vault CLI - write using HCL file

echo '
path "secret/foo" {
  capabilities = ["list","read"]
}
path "supersecret/*" {
  capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
  capabilities = ["create", "read"]
}
' > policy.hcl

vault policy-write test2 policy.hcl
####################################################
# read back policy
#$ vault policies test2

path "secret/foo" {
  capabilities = ["list","read"]
}
path "supersecret/*" {
  capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
  capabilities = ["create", "read"]
}

####################################################
vault read -format=json sys/policy/test2
{
	"request_id": "dae10a3f-1334-9cb9-df2e-4571d32c6530",
	"lease_id": "",
	"lease_duration": 0,
	"renewable": false,
	"data": {
		"name": "test2",
		"rules": "\npath \"secret/foo\" {\n  capabilities = [\"list\",\"read\"]\n}\npath \"supersecret/*\" {\n  capabilities = [\"list\", \"read\"]\n}\npath \"auth/token/lookup-self\" {\n  capabilities = [\"create\", \"read\"]\n}\n\n"
	},
	"warnings": null
}


####################################################
vault read sys/policy/test2
Key  	Value
---  	-----
name 	test2
rules	path "secret/foo" {
  capabilities = ["list","read"]
}
path "supersecret/*" {
  capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
  capabilities = ["create", "read"]
}