Create policies in the Vault GUI

You can create policies in the Vault GUI using the policy editor on the ACL policy page and, for Vault Enterprise, with the policy generator: an integrated modal for supported plugins.

The editor and the generator both create policies formatted in HashiCorp Configuration Language (HCL), but the policy generator helps you create ACL policies with a guided interface that prepopulates the form with the relevant rule paths for existing secrets.

Option 1: Generate a policy from within a plugin

Enterprise

To use the policy generator:

• You must have Vault version 2.0.0 or later.
• You must have permission to access the target secret engine
• To prefill policy paths with the builder, make sure secrets exist in the target secret engine.

When you open the visual policy generator for a plugin, the Vault GUI prepopulates the form with the relevant rule paths for that instance.

The following secret engines support the policy generator:

• KV V2
• PKI

1. Sign in to the Vault GUI.
2. Navigate to a supported plugin.
3. Select a secret to generate a policy for.
4. Click Generate policy in the page header. The Generate policy action may be inside the Manage dropdown.
5. Review the prepopulated paths and select capabilities.
6. Click Save or expand Automation snippets to copy the generated snippet.

Option 2: Create an ACL policy using the visual policy editor

To use the policy editor:

• You must have Vault version 2.0.0 or later.
• You must have permission to create ACL policies:
  • create permission for the /sys/policies/acl endpoint.

1. Sign in to the Vault GUI.
2. Open the Access control menu.
3. Select ACL policies.
4. Click Create ACL Policy.
5. Enter the resource path.
6. Select the desired permissions for that path.
7. Click Add rule to define capabilities for another path.
8. Click Create policy to save the policy.

Related information

• Refer to the Policies concept overview for path syntax and capability options.