Vaultx.Sys.Policies (Vaultx v0.7.0)
View SourceComprehensive policy management for HashiCorp Vault system backend.
This module provides enterprise-grade policy management capabilities for Vault ACL (Access Control List), RGP (Role Governing Policies), and EGP (Endpoint Governing Policies), enabling fine-grained access control and security governance for enterprise Vault deployments with complete policy lifecycle management.
Enterprise Policy Management
ACL Policies (Access Control Lists)
- Standard Vault policies written in HCL format
- Define path-based access permissions and capabilities
- Support for create, read, update, delete, list, and deny operations
- Automatic policy validation and syntax checking
RGP Policies (Role Governing Policies) - Enterprise
- Advanced policy enforcement using Sentinel language
- Role-based policy governance with enforcement levels
- Support for advisory, soft-mandatory, and hard-mandatory enforcement
- Complex business logic and compliance rule implementation
EGP Policies (Endpoint Governing Policies) - Enterprise
- Path-based policy enforcement across multiple endpoints
- Global policy application with wildcard path support
- Advanced request/response filtering and validation
- Multi-path policy assignment and management
API Compliance
Fully implements HashiCorp Vault Policies API:
Usage Examples
# ACL Policy Operations
{:ok, policies} = Vaultx.Sys.Policies.list_acl()
{:ok, policy} = Vaultx.Sys.Policies.read_acl("my-policy")
:ok = Vaultx.Sys.Policies.write_acl("my-policy", policy_rules)
:ok = Vaultx.Sys.Policies.delete_acl("my-policy")
# RGP Policy Operations (Enterprise)
{:ok, policies} = Vaultx.Sys.Policies.list_rgp()
{:ok, policy} = Vaultx.Sys.Policies.read_rgp("webapp-policy")
:ok = Vaultx.Sys.Policies.write_rgp("webapp-policy", %{
policy: "rule main = {...",
enforcement_level: "soft-mandatory"
})
# EGP Policy Operations (Enterprise)
{:ok, policies} = Vaultx.Sys.Policies.list_egp()
{:ok, policy} = Vaultx.Sys.Policies.read_egp("global-policy")
:ok = Vaultx.Sys.Policies.write_egp("global-policy", %{
policy: "rule main = {...",
paths: ["*", "secret/*"],
enforcement_level: "hard-mandatory"
})Policy Language Examples
ACL Policy (HCL Format)
# Allow full access to secret/myapp/*
path "secret/myapp/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Allow read-only access to secret/shared/*
path "secret/shared/*" {
capabilities = ["read", "list"]
}RGP Policy (Sentinel Language)
rule main = {
token.ttl <= 3600 and
"developers" in token.groups
}EGP Policy (Sentinel Language)
rule main = {
request.operation in ["create", "update"] and
strings.has_prefix(request.path, "secret/")
}Security Considerations
- Policy changes take effect immediately for all associated tokens
- The "root" policy cannot be deleted or modified
- The "default" policy is automatically attached to all tokens
- Use principle of least privilege when designing policies
- RGP and EGP policies require Vault Enterprise
- Test policies thoroughly before production deployment
Summary
Types
ACL policy information structure.
EGP policy configuration for creation/update.
EGP policy information structure.
Policy management options.
RGP policy configuration for creation/update.
RGP policy information structure.
Functions
Delete an ACL policy.
Delete an EGP policy.
Delete an RGP policy.
List all configured ACL policies.
List all configured EGP policies.
List all configured RGP policies.
Read a specific ACL policy.
Read a specific EGP policy.
Read a specific RGP policy.
Create or update an ACL policy.
Create or update an EGP policy.
Create or update an RGP policy.
Types
ACL policy information structure.
@type egp_policy_config() :: %{ policy: String.t(), enforcement_level: String.t(), paths: [String.t()] | String.t() }
EGP policy configuration for creation/update.
@type egp_policy_info() :: %{ name: String.t(), policy: String.t(), enforcement_level: String.t(), paths: [String.t()] }
EGP policy information structure.
@type policy_opts() :: [ timeout: pos_integer(), retry_attempts: non_neg_integer(), namespace: String.t() ]
Policy management options.
RGP policy configuration for creation/update.
RGP policy information structure.
Functions
@spec delete_acl(String.t(), policy_opts()) :: Vaultx.Types.result(:ok)
Delete an ACL policy.
Permanently removes the specified ACL policy. This will immediately affect
all tokens associated with this policy.
Implements DELETE /sys/policies/acl/:name.
Security Notes
- The "root" policy cannot be deleted
- The "default" policy cannot be deleted
- Deletion takes effect immediately for all associated tokens
Examples
:ok = Vaultx.Sys.Policies.delete_acl("old-policy")@spec delete_egp(String.t(), policy_opts()) :: Vaultx.Types.result(:ok)
Delete an EGP policy.
Permanently removes the specified EGP policy from all paths on which it was configured.
This will immediately affect all tokens associated with this policy.
EGP policies are only available in Vault Enterprise.
Implements DELETE /sys/policies/egp/:name.
Examples
:ok = Vaultx.Sys.Policies.delete_egp("old-egp-policy")@spec delete_rgp(String.t(), policy_opts()) :: Vaultx.Types.result(:ok)
Delete an RGP policy.
Permanently removes the specified RGP policy. This will immediately affect
all tokens associated with this policy.
RGP policies are only available in Vault Enterprise.
Implements DELETE /sys/policies/rgp/:name.
Examples
:ok = Vaultx.Sys.Policies.delete_rgp("old-rgp-policy")@spec list_acl(policy_opts()) :: Vaultx.Types.result([String.t()])
List all configured ACL policies.
Returns a list of ACL policy names available in the Vault instance.
Implements LIST /sys/policies/acl.
Examples
{:ok, policies} = Vaultx.Sys.Policies.list_acl()
policies #=> ["default", "root", "my-policy"]@spec list_egp(policy_opts()) :: Vaultx.Types.result([String.t()])
List all configured EGP policies.
Returns a list of EGP (Endpoint Governing Policy) names available in the Vault Enterprise instance.
EGP policies are only available in Vault Enterprise.
Implements LIST /sys/policies/egp.
Examples
{:ok, policies} = Vaultx.Sys.Policies.list_egp()
policies #=> ["breakglass", "global-policy"]@spec list_rgp(policy_opts()) :: Vaultx.Types.result([String.t()])
List all configured RGP policies.
Returns a list of RGP (Role Governing Policy) names available in the Vault Enterprise instance.
RGP policies are only available in Vault Enterprise.
Implements LIST /sys/policies/rgp.
Examples
{:ok, policies} = Vaultx.Sys.Policies.list_rgp()
policies #=> ["webapp", "database"]@spec read_acl(String.t(), policy_opts()) :: Vaultx.Types.result(acl_policy_info())
Read a specific ACL policy.
Retrieves the policy rules for the specified ACL policy name.
Implements GET /sys/policies/acl/:name.
Examples
{:ok, policy} = Vaultx.Sys.Policies.read_acl("my-policy")
policy.name #=> "my-policy"
policy.policy #=> "path "secret/*" { capabilities = ["read"] }"@spec read_egp(String.t(), policy_opts()) :: Vaultx.Types.result(egp_policy_info())
Read a specific EGP policy.
Retrieves the policy rules and configuration for the specified EGP policy name.
EGP policies are only available in Vault Enterprise.
Implements GET /sys/policies/egp/:name.
Examples
{:ok, policy} = Vaultx.Sys.Policies.read_egp("breakglass")
policy.name #=> "breakglass"
policy.policy #=> "rule main = { request.operation in ["create", "update"] }"
policy.enforcement_level #=> "soft-mandatory"
policy.paths #=> ["*"]@spec read_rgp(String.t(), policy_opts()) :: Vaultx.Types.result(rgp_policy_info())
Read a specific RGP policy.
Retrieves the policy rules and configuration for the specified RGP policy name.
RGP policies are only available in Vault Enterprise.
Implements GET /sys/policies/rgp/:name.
Examples
{:ok, policy} = Vaultx.Sys.Policies.read_rgp("webapp")
policy.name #=> "webapp"
policy.policy #=> "rule main = { token.ttl <= 3600 }"
policy.enforcement_level #=> "soft-mandatory"@spec write_acl(String.t(), String.t(), policy_opts()) :: Vaultx.Types.result(:ok)
Create or update an ACL policy.
Creates a new ACL policy or updates an existing one with the specified rules.
Policy changes take effect immediately for all associated tokens.
Implements POST /sys/policies/acl/:name.
Examples
rules = ~s(path "secret/myapp/*" { capabilities = ["create", "read", "update", "delete"] })
:ok = Vaultx.Sys.Policies.write_acl("myapp-policy", rules)@spec write_egp(String.t(), egp_policy_config(), policy_opts()) :: Vaultx.Types.result(:ok)
Create or update an EGP policy.
Creates a new EGP policy or updates an existing one with the specified rules, enforcement level, and paths.
EGP policies are only available in Vault Enterprise.
Policy changes take effect immediately for all associated tokens.
Implements POST /sys/policies/egp/:name.
Parameters
name: The name of the EGP policyconfig: Policy configuration containing:policy: The Sentinel policy documentenforcement_level: One of "advisory", "soft-mandatory", or "hard-mandatory"paths: List of paths or comma-separated string of paths where the policy applies
Examples
config = %{
policy: "rule main = { request.operation in ["create", "update"] }",
enforcement_level: "soft-mandatory",
paths: ["*", "secret/*", "transit/keys/*"]
}
:ok = Vaultx.Sys.Policies.write_egp("global-policy", config)@spec write_rgp(String.t(), rgp_policy_config(), policy_opts()) :: Vaultx.Types.result(:ok)
Create or update an RGP policy.
Creates a new RGP policy or updates an existing one with the specified rules and enforcement level.
RGP policies are only available in Vault Enterprise.
Policy changes take effect immediately for all associated tokens.
Implements POST /sys/policies/rgp/:name.
Parameters
name: The name of the RGP policyconfig: Policy configuration containing:policy: The Sentinel policy documentenforcement_level: One of "advisory", "soft-mandatory", or "hard-mandatory"
Examples
config = %{
policy: "rule main = { token.ttl <= 3600 and "developers" in token.groups }",
enforcement_level: "soft-mandatory"
}
:ok = Vaultx.Sys.Policies.write_rgp("webapp-policy", config)