/sys/policy

The /sys/policy endpoint is used to manage ACL policies in Vault.

List policies

Restricted endpoint

The API path can only be called from the root or administrative namespace.

This endpoint lists all configured policies.

Method	Path
`GET`	`/sys/policy`

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/policy

{
  "policies": ["root", "deploy"]
}

Restricted endpoint

The API path can only be called from the root or administrative namespace.

This endpoint retrieve the policy body for the named policy.

Method	Path
`GET`	`/sys/policy/:name`

name (string: <required>) – Specifies the name of the policy to retrieve. This is specified as part of the request URL.

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/policy/my-policy

{
  "name": "my-policy",
  "rules": "path \"secret/*\"...
}

Restricted endpoint

The API path can only be called from the root or administrative namespace.

This endpoint adds a new or updates an existing policy. Once a policy is updated, it takes effect immediately to all associated users.

Method	Path
`POST`	`/sys/policy/:name`

name (string: <required>) – Specifies the name of the policy to create. This is specified as part of the request URL.
policy (string: <required>) - Specifies the policy document.

{
  "policy": "path \"secret/foo\" {..."
}

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/policy/my-policy

Restricted endpoint

The API path can only be called from the root or administrative namespace.

This endpoint deletes the policy with the given name. This will immediately affect all users associated with this policy.

Method	Path
`DELETE`	`/sys/policy/:name`

name (string: <required>) – Specifies the name of the policy to delete. This is specified as part of the request URL.

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/policy/my-policy