vault policy list and read: Inspect Policies
vault policy list shows every policy name and vault policy read NAME prints a policy body.
To audit what a CI role can do, list the policies and read the relevant one. Every Vault has the built-in default and root policies you cannot delete.
What it does
vault policy list returns all ACL policy names. vault policy read NAME prints the HCL of one policy. Together they let you verify that a bootstrap created the policy you expected and that it grants exactly the paths intended.
Common usage
vault policy list
vault policy read ci
# diff what is deployed against a file
diff <(vault policy read ci) ci-policy.hclOptions
| Command | What it does |
|---|---|
| vault policy list | List all policy names |
| vault policy read <name> | Print one policy body |
| -format=json | Output as JSON |
In CI
A drift check that diffs vault policy read <name> against the checked-in HCL catches out-of-band edits. The default and root policies always exist: root grants everything and default is attached to most tokens, granting a small set of self-service paths.
Common errors in CI
"No policy named: ci" from policy read means it was never written or was written to a different namespace. "permission denied" means the token cannot read sys/policies/acl; least-privilege CI tokens usually cannot list policies, which is by design.