PolicyΒΆ

Manipulate policiesΒΆ

policies = client.sys.list_policies()['data']['policies'] # => ['root']

policy = """
path "sys" {
  capabilities = ["deny"]
}

path "secret/*" {
  capabilities = ["read", "list"]
}

path "secret/foo" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
"""

client.sys.create_or_update_policy(
    name='secret-writer',
    policy=policy,
)

client.sys.delete_policy('oldthing')

# The get_policy method offers some additional features and is available in the Client class.
policy = client.get_policy('mypolicy')

# Requires pyhcl to automatically parse HCL into a Python dictionary
policy = client.get_policy('mypolicy', parse=True)

Using Python Variable(s) In Policy RulesΒΆ

import hvac

client = hvac.Client(url='https://127.0.0.1:8200')

key = 'some-key-string'

policy_body = """
path "transit/encrypt/%s" {
    capabilities = ["update"]
}
""" % key
client.sys.create_or_update_policy(
    name='my-policy-name',
    policy=policy_body,
)

List PoliciesΒΆ

Policy.list_policies()[source]

List all configured policies.

Supported methods:

GET: /sys/policy. Produces: 200 application/json

Returns

The JSON response of the request.

Return type

dict

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_policies_resp = client.sys.list_policies()['data']['policies']
print('List of currently configured policies: %s' % ', '.join(list_policies_resp))

Example output:

List of currently configured policies: default, my-policy-name, secret-writer, root

Read PolicyΒΆ

Policy.read_policy(name)[source]

Retrieve the policy body for the named policy.

Supported methods:

GET: /sys/policy/{name}. Produces: 200 application/json

Parameters

name (str | unicode) – The name of the policy to retrieve.

Returns

The response of the request

Return type

dict

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

hvac_policy_rules = client.sys.read_policy(name='secret-writer')['data']['rules']
print('secret-writer policy rules:\n%s' % hvac_policy_rules)

Example output:

secret-writer policy rules:

path "sys" {
  capabilities = ["deny"]
}

path "secret/*" {
  capabilities = ["read", "list"]
}

path "secret/foo" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
...

Create Or Update PolicyΒΆ

Policy.create_or_update_policy(name, policy, pretty_print=True)[source]

Add a new or update an existing policy.

Once a policy is updated, it takes effect immediately to all associated users.

Supported methods:

PUT: /sys/policy/{name}. Produces: 204 (empty body)

Parameters
  • name (str | unicode) – Specifies the name of the policy to create.

  • policy (str | unicode | dict) – Specifies the policy document.

  • pretty_print (bool) – If True, and provided a dict for the policy argument, send the policy JSON to Vault with β€œpretty” formatting.

Returns

The response of the request.

Return type

requests.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

policy = '''
    path "sys" {
        capabilities = ["deny"]
    }
    path "secret" {
        capabilities = ["create", "read", "update", "delete", "list"]
    }
'''
client.sys.create_or_update_policy(
    name='secret-writer',
    policy=policy,
)

Delete PolicyΒΆ

Policy.delete_policy(name)[source]

Delete the policy with the given name.

This will immediately affect all users associated with this policy.

Supported methods:

DELETE: /sys/policy/{name}. Produces: 204 (empty body)

Parameters

name (str | unicode) – Specifies the name of the policy to delete.

Returns

The response of the request.

Return type

requests.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.delete_policy(
    name='secret-writer',
)