1--- 2layout: "api" 3page_title: "/sys/policies/ - HTTP API" 4sidebar_title: "<code>/sys/policies</code>" 5sidebar_current: "api-http-system-policies" 6description: |- 7 The `/sys/policies/` endpoints are used to manage ACL, RGP, and EGP policies in Vault. 8--- 9 10# `/sys/policies/` 11 12The `/sys/policies` endpoints are used to manage ACL, RGP, and EGP policies in Vault. 13 14 15~> **NOTE**: This endpoint is only available in Vault version 0.9+. Please also note that RGPs and EGPs are Vault Enterprise Premium features and the associated endpoints are not available in Vault Open Source or Vault Enterprise Pro. 16 17## List ACL Policies 18 19This endpoint lists all configured ACL policies. 20 21| Method | Path | 22| :--------------------------- | :--------------------- | 23| `LIST` | `/sys/policies/acl` | 24 25### Sample Request 26 27``` 28$ curl \ 29 -X LIST --header "X-Vault-Token: ..." \ 30 http://127.0.0.1:8200/v1/sys/policies/acl 31``` 32 33### Sample Response 34 35```json 36{ 37 "keys": ["root", "my-policy"] 38} 39``` 40 41## Read ACL Policy 42 43This endpoint retrieves information about the named ACL policy. 44 45| Method | Path | 46| :--------------------------- | :--------------------- | 47| `GET` | `/sys/policies/acl/:name` | 48 49### Parameters 50 51- `name` `(string: <required>)` – Specifies the name of the policy to retrieve. 52 This is specified as part of the request URL. 53 54### Sample Request 55 56``` 57$ curl \ 58 --header "X-Vault-Token: ..." \ 59 http://127.0.0.1:8200/v1/sys/policies/acl/my-policy 60``` 61 62### Sample Response 63 64```json 65{ 66 "name": "deploy", 67 "policy": "path \"secret/foo\" {..." 68} 69``` 70 71## Create/Update ACL Policy 72 73This endpoint adds a new or updates an existing ACL policy. Once a policy is 74updated, it takes effect immediately to all associated users. 75 76| Method | Path | 77| :--------------------------- | :--------------------- | 78| `PUT` | `/sys/policies/acl/:name` | 79 80### Parameters 81 82- `name` `(string: <required>)` – Specifies the name of the policy to create. 83 This is specified as part of the request URL. 84 85- `policy` `(string: <required>)` - Specifies the policy document. This can be 86 base64-encoded to avoid string escaping. 87 88### Sample Payload 89 90```json 91{ 92 "policy": "path \"secret/foo\" {..." 93} 94``` 95 96### Sample Request 97 98``` 99$ curl \ 100 --header "X-Vault-Token: ..." \ 101 --request PUT \ 102 --data @payload.json \ 103 http://127.0.0.1:8200/v1/sys/policies/acl/my-policy 104``` 105 106## Delete ACL Policy 107 108This endpoint deletes the ACL policy with the given name. This will immediately 109affect all users associated with this policy. (A deleted policy set on a token 110acts as an empty policy.) 111 112| Method | Path | 113| :--------------------------- | :--------------------- | 114| `DELETE` | `/sys/policies/acl/:name` | 115 116### Parameters 117 118- `name` `(string: <required>)` – Specifies the name of the policy to delete. 119 This is specified as part of the request URL. 120 121### Sample Request 122 123``` 124$ curl \ 125 --header "X-Vault-Token: ..." \ 126 --request DELETE \ 127 http://127.0.0.1:8200/v1/sys/policies/acl/my-policy 128``` 129 130## List RGP Policies 131 132This endpoint lists all configured RGP policies. 133 134| Method | Path | 135| :--------------------------- | :--------------------- | 136| `LIST` | `/sys/policies/rgp` | 137 138### Sample Request 139 140``` 141$ curl \ 142 -X LIST --header "X-Vault-Token: ..." \ 143 http://127.0.0.1:8200/v1/sys/policies/rgp 144``` 145 146### Sample Response 147 148```json 149{ 150 "keys": ["webapp", "database"] 151} 152``` 153 154## Read RGP Policy 155 156This endpoint retrieves information about the named RGP policy. 157 158| Method | Path | 159| :--------------------------- | :--------------------- | 160| `GET` | `/sys/policies/rgp/:name` | 161 162### Parameters 163 164- `name` `(string: <required>)` – Specifies the name of the policy to retrieve. 165 This is specified as part of the request URL. 166 167### Sample Request 168 169``` 170$ curl \ 171 --header "X-Vault-Token: ..." \ 172 http://127.0.0.1:8200/v1/sys/policies/rgp/webapp 173``` 174 175### Sample Response 176 177```json 178{ 179 "name": "webapp", 180 "policy": "rule main = {...", 181 "enforcement_level": "soft-mandatory" 182} 183``` 184 185## Create/Update RGP Policy 186 187This endpoint adds a new or updates an existing RGP policy. Once a policy is 188updated, it takes effect immediately to all associated users. 189 190| Method | Path | 191| :--------------------------- | :--------------------- | 192| `PUT` | `/sys/policies/rgp/:name` | 193 194### Parameters 195 196- `name` `(string: <required>)` – Specifies the name of the policy to create. 197 This is specified as part of the request URL. 198 199- `policy` `(string: <required>)` - Specifies the policy document. This can be 200 base64-encoded to avoid string escaping. 201 202- `enforcement_level` `(string: <required>)` - Specifies the enforcement level 203 to use. This must be one of `advisory`, `soft-mandatory`, or 204 `hard-mandatory`. 205 206### Sample Payload 207 208```json 209{ 210 "policy": "rule main = {...", 211 "enforcement_level": "soft-mandatory" 212} 213``` 214 215### Sample Request 216 217``` 218$ curl \ 219 --header "X-Vault-Token: ..." \ 220 --request PUT \ 221 --data @payload.json \ 222 http://127.0.0.1:8200/v1/sys/policies/rgp/webapp 223``` 224 225## Delete RGP Policy 226 227This endpoint deletes the RGP policy with the given name. This will immediately 228affect all users associated with this policy. (A deleted policy set on a token 229acts as an empty policy.) 230 231| Method | Path | 232| :--------------------------- | :--------------------- | 233| `DELETE` | `/sys/policies/rgp/:name` | 234 235### Parameters 236 237- `name` `(string: <required>)` – Specifies the name of the policy to delete. 238 This is specified as part of the request URL. 239 240### Sample Request 241 242``` 243$ curl \ 244 --header "X-Vault-Token: ..." \ 245 --request DELETE \ 246 http://127.0.0.1:8200/v1/sys/policies/rgp/webapp 247``` 248 249## List EGP Policies 250 251This endpoint lists all configured EGP policies. Since EGP policies act on a 252path, this endpoint returns two identifiers: 253 254 * `keys` contains a mapping of names to associated paths in a format that 255 `vault list` understands 256 * `name_path_map` contains an object mapping names to paths and glob status in 257 a more machine-friendly format 258 259| Method | Path | 260| :--------------------------- | :--------------------- | 261| `LIST` | `/sys/policies/egp` | 262 263### Sample Request 264 265``` 266$ curl \ 267 -X LIST --header "X-Vault-Token: ..." \ 268 http://127.0.0.1:8200/v1/sys/policies/egp 269``` 270 271### Sample Response 272 273```json 274{ 275 "keys": [ "breakglass" ] 276} 277``` 278 279## Read EGP Policy 280 281This endpoint retrieves information about the named EGP policy. 282 283| Method | Path | 284| :--------------------------- | :--------------------- | 285| `GET` | `/sys/policies/egp/:name` | 286 287### Parameters 288 289- `name` `(string: <required>)` – Specifies the name of the policy to retrieve. 290 This is specified as part of the request URL. 291 292### Sample Request 293 294``` 295$ curl \ 296 --header "X-Vault-Token: ..." \ 297 http://127.0.0.1:8200/v1/sys/policies/egp/breakglass 298``` 299 300### Sample Response 301 302```json 303{ 304 "enforcement_level": "soft-mandatory", 305 "name": "breakglass", 306 "paths": [ "*" ], 307 "policy": "rule main = {..." 308} 309``` 310 311## Create/Update EGP Policy 312 313This endpoint adds a new or updates an existing EGP policy. Once a policy is 314updated, it takes effect immediately to all associated users. 315 316| Method | Path | 317| :--------------------------- | :--------------------- | 318| `PUT` | `/sys/policies/egp/:name` | 319 320### Parameters 321 322- `name` `(string: <required>)` – Specifies the name of the policy to create. 323 This is specified as part of the request URL. 324 325- `policy` `(string: <required>)` - Specifies the policy document. This can be 326 base64-encoded to avoid string escaping. 327 328- `enforcement_level` `(string: <required>)` - Specifies the enforcement level 329 to use. This must be one of `advisory`, `soft-mandatory`, or 330 `hard-mandatory`. 331 332- `paths` `(string or array: required)` - Specifies the paths on which this EGP 333 should be applied, either as a comma-separated list or an array. Glob 334 characters can denote suffixes, e.g. `secret/*`; a path of `*` will affect 335 all authenticated and login requests. 336 337### Sample Payload 338 339```json 340{ 341 "policy": "rule main = {...", 342 "paths": [ "*", "secret/*", "transit/keys/*" ], 343 "enforcement_level": "soft-mandatory" 344} 345``` 346 347### Sample Request 348 349``` 350$ curl \ 351 --header "X-Vault-Token: ..." \ 352 --request PUT \ 353 --data @payload.json \ 354 http://127.0.0.1:8200/v1/sys/policies/egp/breakglass 355``` 356 357## Delete EGP Policy 358 359This endpoint deletes the EGP policy with the given name from all paths on which it was configured. 360 361| Method | Path | 362| :--------------------------- | :--------------------- | 363| `DELETE` | `/sys/policies/egp/:name` | 364 365### Parameters 366 367- `name` `(string: <required>)` – Specifies the name of the policy to delete. 368 This is specified as part of the request URL. 369 370### Sample Request 371 372``` 373$ curl \ 374 --header "X-Vault-Token: ..." \ 375 --request DELETE \ 376 http://127.0.0.1:8200/v1/sys/policies/egp/breakglass 377``` 378