Root policy in hcl for hashicorp vault

Question

Is this a hashicorp vault policy so that it allows access to any resource and path within vault? I'm looking to enable an admin policy without granting root token access to anyone for obvious security reasons.

path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

Answer 1

I use this admin policy that is able to : - Read system health check - Create and manage ACL policies broadly across Vault - Enable and manage authentication methods broadly across Vault - Manage the Key-Value secrets engine enabled at secret/ path

path "sys/health"
{
  capabilities = ["read", "sudo"]
}


path "sys/policies/acl"
{
  capabilities = ["list"]
}


path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}


path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

path "sys/auth"
{
  capabilities = ["read"]
}


path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/mounts"
{
  capabilities = ["read"]
}

Answer 2

The policy @Wunderbread posted is the correct admin policy that can be applied to users without the need for a root token.

Answer 3

Hoping this admin policy is just used in development/test environnement. For obvious security reasons, it seems really unsafe to distribute such policy to anyone.

The Vault root token was designed by Hashicorp to allow you to create specific users with controlled policies at the first configuration of your Vault.

After this step, no one should possess such privilege right.