Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the vault.Policy resource.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = vault.getPolicyDocument({
rules: [{
path: "secret/*",
capabilities: [
"create",
"read",
"update",
"delete",
"list",
],
description: "allow all on secrets",
}],
});
const examplePolicy = new vault.Policy("example", {
name: "example_policy",
policy: example.then(example => example.hcl),
});
import pulumi
import pulumi_vault as vault
example = vault.get_policy_document(rules=[{
"path": "secret/*",
"capabilities": [
"create",
"read",
"update",
"delete",
"list",
],
"description": "allow all on secrets",
}])
example_policy = vault.Policy("example",
name="example_policy",
policy=example.hcl)
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := vault.GetPolicyDocument(ctx, &vault.GetPolicyDocumentArgs{
Rules: []vault.GetPolicyDocumentRule{
{
Path: "secret/*",
Capabilities: []string{
"create",
"read",
"update",
"delete",
"list",
},
Description: pulumi.StringRef("allow all on secrets"),
},
},
}, nil)
if err != nil {
return err
}
_, err = vault.NewPolicy(ctx, "example", &vault.PolicyArgs{
Name: pulumi.String("example_policy"),
Policy: pulumi.String(example.Hcl),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = Vault.GetPolicyDocument.Invoke(new()
{
Rules = new[]
{
new Vault.Inputs.GetPolicyDocumentRuleInputArgs
{
Path = "secret/*",
Capabilities = new[]
{
"create",
"read",
"update",
"delete",
"list",
},
Description = "allow all on secrets",
},
},
});
var examplePolicy = new Vault.Policy("example", new()
{
Name = "example_policy",
PolicyContents = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Hcl),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.VaultFunctions;
import com.pulumi.vault.inputs.GetPolicyDocumentArgs;
import com.pulumi.vault.Policy;
import com.pulumi.vault.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = VaultFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.rules(GetPolicyDocumentRuleArgs.builder()
.path("secret/*")
.capabilities(
"create",
"read",
"update",
"delete",
"list")
.description("allow all on secrets")
.build())
.build());
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.name("example_policy")
.policy(example.hcl())
.build());
}
}
resources:
examplePolicy:
type: vault:Policy
name: example
properties:
name: example_policy
policy: ${example.hcl}
variables:
example:
fn::invoke:
function: vault:getPolicyDocument
arguments:
rules:
- path: secret/*
capabilities:
- create
- read
- update
- delete
- list
description: allow all on secrets
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>def get_policy_document(namespace: Optional[str] = None,
rules: Optional[Sequence[GetPolicyDocumentRule]] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(namespace: Optional[pulumi.Input[str]] = None,
rules: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentRuleArgs]]]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput> Note: This function is named GetPolicyDocument in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
public static Output<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
fn::invoke:
function: vault:index/getPolicyDocument:getPolicyDocument
arguments:
# arguments dictionaryThe following arguments are supported:
- namespace String
- rules List<Property Map>
getPolicyDocument Result
The following output properties are available:
- Hcl string
- The above arguments serialized as a standard Vault HCL policy document.
- Id string
- The provider-assigned unique ID for this managed resource.
- Rules
List<Get
Policy Document Rule> - Namespace string
- Hcl string
- The above arguments serialized as a standard Vault HCL policy document.
- Id string
- The provider-assigned unique ID for this managed resource.
- Rules
[]Get
Policy Document Rule - Namespace string
- hcl String
- The above arguments serialized as a standard Vault HCL policy document.
- id String
- The provider-assigned unique ID for this managed resource.
- rules
List<Get
Policy Document Rule> - namespace String
- hcl string
- The above arguments serialized as a standard Vault HCL policy document.
- id string
- The provider-assigned unique ID for this managed resource.
- rules
Get
Policy Document Rule[] - namespace string
- hcl str
- The above arguments serialized as a standard Vault HCL policy document.
- id str
- The provider-assigned unique ID for this managed resource.
- rules
Sequence[Get
Policy Document Rule] - namespace str
- hcl String
- The above arguments serialized as a standard Vault HCL policy document.
- id String
- The provider-assigned unique ID for this managed resource.
- rules List<Property Map>
- namespace String
Supporting Types
GetPolicyDocumentRule
- Capabilities List<string>
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - Path string
- A path in Vault that this rule applies to.
- Allowed
Parameters List<GetPolicy Document Rule Allowed Parameter> - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- Denied
Parameters List<GetPolicy Document Rule Denied Parameter> - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - Description string
- Description of the rule. Will be added as a comment to rendered rule.
- Max
Wrapping stringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- Min
Wrapping stringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- Required
Parameters List<string> - A list of parameters that must be specified.
- Subscribe
Event List<string>Types - A list of event types to subscribe to when using
subscribecapability.
- Capabilities []string
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - Path string
- A path in Vault that this rule applies to.
- Allowed
Parameters []GetPolicy Document Rule Allowed Parameter - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- Denied
Parameters []GetPolicy Document Rule Denied Parameter - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - Description string
- Description of the rule. Will be added as a comment to rendered rule.
- Max
Wrapping stringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- Min
Wrapping stringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- Required
Parameters []string - A list of parameters that must be specified.
- Subscribe
Event []stringTypes - A list of event types to subscribe to when using
subscribecapability.
- capabilities List<String>
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path String
- A path in Vault that this rule applies to.
- allowed
Parameters List<GetPolicy Document Rule Allowed Parameter> - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied
Parameters List<GetPolicy Document Rule Denied Parameter> - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description String
- Description of the rule. Will be added as a comment to rendered rule.
- max
Wrapping StringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- min
Wrapping StringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- required
Parameters List<String> - A list of parameters that must be specified.
- subscribe
Event List<String>Types - A list of event types to subscribe to when using
subscribecapability.
- capabilities string[]
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path string
- A path in Vault that this rule applies to.
- allowed
Parameters GetPolicy Document Rule Allowed Parameter[] - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied
Parameters GetPolicy Document Rule Denied Parameter[] - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description string
- Description of the rule. Will be added as a comment to rendered rule.
- max
Wrapping stringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- min
Wrapping stringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- required
Parameters string[] - A list of parameters that must be specified.
- subscribe
Event string[]Types - A list of event types to subscribe to when using
subscribecapability.
- capabilities Sequence[str]
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path str
- A path in Vault that this rule applies to.
- allowed_
parameters Sequence[GetPolicy Document Rule Allowed Parameter] - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied_
parameters Sequence[GetPolicy Document Rule Denied Parameter] - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description str
- Description of the rule. Will be added as a comment to rendered rule.
- max_
wrapping_ strttl - The maximum allowed TTL that clients can specify for a wrapped response.
- min_
wrapping_ strttl - The minimum allowed TTL that clients can specify for a wrapped response.
- required_
parameters Sequence[str] - A list of parameters that must be specified.
- subscribe_
event_ Sequence[str]types - A list of event types to subscribe to when using
subscribecapability.
- capabilities List<String>
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path String
- A path in Vault that this rule applies to.
- allowed
Parameters List<Property Map> - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied
Parameters List<Property Map> - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description String
- Description of the rule. Will be added as a comment to rendered rule.
- max
Wrapping StringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- min
Wrapping StringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- required
Parameters List<String> - A list of parameters that must be specified.
- subscribe
Event List<String>Types - A list of event types to subscribe to when using
subscribecapability.
GetPolicyDocumentRuleAllowedParameter
GetPolicyDocumentRuleDeniedParameter
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.
Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
