This topic introduces a policy output flag for the Vault Command Line Interface (Vault CLI) that was introduced in Vault 1.11 .
The CLI flag -output-policycan now be used with any command to print out the minimum required policy in HCL format for that operation, including whether the given path requires the "sudo" capability.
Prerequisites:
1. An authenticated user with sufficient permissions to execute the CLI command against the Vault path in question.
Examples:
$ vault auth enable -output-policy aws
path "sys/auth/aws" {
capabilities = ["create", "update", "sudo"]
}
$ vault write -output-policy auth/userpass/users/zaid password=foo
path "auth/userpass/users/zaid" {
capabilities = ["create", "update"]
$ vault policy write -output-policy my-policy admin-policy.hcl
path "sys/policies/acl/my-policy" {
capabilities = ["create", "update"]
}
For more information, please refer to our official documentation listed below:
https://github.com/hashicorp/vault/pull/14899