# Full admin policy
# Manage authentication methods
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage tokens
path "auth/token/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage approles
path "auth/approle/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/approle" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage JWT/OIDC auth methods
path "auth/jwt/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/oidc/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage policies
path "sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secret engines
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage leases
path "sys/leases/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage configuration
path "sys/config/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage audit devices
path "sys/audit/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage identity
path "identity/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage namespace
path "sys/namespaces/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Access and manage secrets
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "secret" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "secrets/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage sys control group
path "sys/control-group/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage plugins
path "sys/plugins/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage sys health
path "sys/health" {
capabilities = ["read", "sudo"]
}
# Manage sys seal/unseal
path "sys/seal" {
capabilities = ["update"]
}
path "sys/unseal" {
capabilities = ["update"]
}
# Manage keys
path "sys/key-status" {
capabilities = ["read"]
}
# Manage storage
path "sys/storage/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage sys metrics
path "sys/metrics" {
capabilities = ["read"]
}
# Manage licenses
path "sys/license/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage control group request
path "sys/control-group/request" {
capabilities = ["update"]
}
# Manage control group authorize
path "sys/control-group/authorize" {
capabilities = ["update"]
}
# Policy to list and manage all secret mounts
path "sys/mounts" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Policy to list and manage all secrets engines
path "sys/internal/ui/mounts" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Policy to read, write, update, and delete all secrets at all paths
path "platform/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# If you have multiple mounts, you need to add similar paths for each
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "+/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}