kawsark · August 1, 2024 10:27 · Oct 12, 2020 · Jun 27, 2019 · Jun 27, 2019
diff --git a/example-vault-admin-policy.hcl b/example-vault-admin-policy.hcl
@@ -25,7 +25,7 @@ path "sys/auth"
 # List existing policies
 path "sys/policies/acl"
 {
-  capabilities = ["read"]
+  capabilities = ["read","list"]
 }
 
 # Create and manage ACL policies

diff --git a/vault-admin-policy.hcl → example-vault-admin-policy.hcl b/vault-admin-policy.hcl → example-vault-admin-policy.hcl
diff --git a/vault-admin-policy.hcl b/vault-admin-policy.hcl
@@ -0,0 +1,59 @@
+# Allow managing leases
+path "sys/leases/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# List existing policies
+path "sys/policies/acl"
+{
+  capabilities = ["read"]
+}
+
+# Create and manage ACL policies
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage secret engines
+path "sys/mounts/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secret engines.
+path "sys/mounts"
+{
+  capabilities = ["read"]
+}
+
+# Read health checks
+path "sys/health"
+{
+  capabilities = ["read", "sudo"]
+}