Skip to content
Latchkey

vault policy list and read: Inspect Policies

vault policy list shows every policy name and vault policy read NAME prints a policy body.

To audit what a CI role can do, list the policies and read the relevant one. Every Vault has the built-in default and root policies you cannot delete.

What it does

vault policy list returns all ACL policy names. vault policy read NAME prints the HCL of one policy. Together they let you verify that a bootstrap created the policy you expected and that it grants exactly the paths intended.

Common usage

Terminal
vault policy list
vault policy read ci
# diff what is deployed against a file
diff <(vault policy read ci) ci-policy.hcl

Options

CommandWhat it does
vault policy listList all policy names
vault policy read <name>Print one policy body
-format=jsonOutput as JSON

In CI

A drift check that diffs vault policy read <name> against the checked-in HCL catches out-of-band edits. The default and root policies always exist: root grants everything and default is attached to most tokens, granting a small set of self-service paths.

Common errors in CI

"No policy named: ci" from policy read means it was never written or was written to a different namespace. "permission denied" means the token cannot read sys/policies/acl; least-privilege CI tokens usually cannot list policies, which is by design.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →