This topic introduces a policy output flag for the Vault Command Line Interface (Vault CLI) that was introduced in Vault 1.11 .
The global CLI flag -output-policy
can now be used with any command to print out the minimum required policy HCL for that operation, including whether the given path requires the "sudo" capability.
Prerequisites:
1. A token or an authenticated user with a sufficient permissions to execute the CLI command against the path.
2. The path should already exist. The policy output for a hypothetical path will fail, it has to refer for example to a secret engine or auth method that's already enabled and configured.
Examples:
[vault ~]# vault auth enable -output-policy aws
path "sys/auth/aws" {
capabilities = ["create", "update", "sudo"]
}
[vault ~]# vault write -output-policy auth/userpass/users/zaid password=foo
path "auth/userpass/users/zaid" {
capabilities = ["create", "update"]
[vault ~]# vault policy write -output-policy my-policy admin-policy.hcl
path "sys/policies/acl/my-policy" {
capabilities = ["create", "update"]
}
For more information, please refer to our official documentation listed below:
https://github.com/hashicorp/vault/pull/14899