Control who can touch which secret. Write HCL policies that grant capabilities on paths, attach them to tokens, and test that least-privilege access actually works.
Why: a fresh token can do nothing — Vault denies everything until a policy grants it. A policy is a set of rules, each mapping a path to a list of capabilities (read, create, update, delete, list). You attach policies to tokens and auth methods. This is least privilege by construction: you only ever add permissions.
capabilities on a path:
read ─ read a secret create ─ write a new one
update ─ overwrite an existing delete ─ remove it
list ─ list keys under a path deny ─ explicitly forbid (wins over all)Why: a policy is HCL: one or more path blocks, each granting capabilities. Paths can use globs (*) and the + single-segment wildcard. Note the KV v2 quirk — data lives under <mount>/data/<path>, so a policy for kv/myapp targets kv/data/myapp. This policy gives read-only access to one app's secrets.
# app-read.hcl — read-only access to one app's KV v2 secrets
path "kv/data/myapp" {
capabilities = ["read"]
}
# allow listing keys under the app prefix
path "kv/metadata/myapp/*" {
capabilities = ["list"]
}Why: you register a policy by name, then issue a token bound to it. vault policy write loads the HCL; vault token create -policy grants it. The resulting token can do exactly what the policy allows and nothing else — the everyday way to scope access for a person or job.
Register the policy under a name
vault policy write app-read app-read.hclMint a token that carries only that policy
vault token create -policy=app-readWhy: always verify a policy does what you think. Log in with the scoped token and confirm the allowed read works while a write is denied. vault token capabilities answers "what can this token do on this path?" without trial and error.
Log in as the scoped token, then:
vault kv get kv/myapp # works (read granted)vault kv put kv/myapp x=1 # permission denied (no create/update)Ask Vault directly what a token may do on a path
vault token capabilities kv/data/myapp