HashiCorp Vault v7.4.0 published on Wednesday, Nov 5, 2025 by Pulumi
vault.getPolicyDocument
Start a Neo task
Explain and create a vault.getPolicyDocument resource
This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the vault.Policy resource.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = vault.getPolicyDocument({
rules: [{
path: "secret/*",
capabilities: [
"create",
"read",
"update",
"delete",
"list",
],
description: "allow all on secrets",
}],
});
const examplePolicy = new vault.Policy("example", {
name: "example_policy",
policy: example.then(example => example.hcl),
});
import pulumi
import pulumi_vault as vault
example = vault.get_policy_document(rules=[{
"path": "secret/*",
"capabilities": [
"create",
"read",
"update",
"delete",
"list",
],
"description": "allow all on secrets",
}])
example_policy = vault.Policy("example",
name="example_policy",
policy=example.hcl)
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := vault.GetPolicyDocument(ctx, &vault.GetPolicyDocumentArgs{
Rules: []vault.GetPolicyDocumentRule{
{
Path: "secret/*",
Capabilities: []string{
"create",
"read",
"update",
"delete",
"list",
},
Description: pulumi.StringRef("allow all on secrets"),
},
},
}, nil)
if err != nil {
return err
}
_, err = vault.NewPolicy(ctx, "example", &vault.PolicyArgs{
Name: pulumi.String("example_policy"),
Policy: pulumi.String(example.Hcl),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = Vault.GetPolicyDocument.Invoke(new()
{
Rules = new[]
{
new Vault.Inputs.GetPolicyDocumentRuleInputArgs
{
Path = "secret/*",
Capabilities = new[]
{
"create",
"read",
"update",
"delete",
"list",
},
Description = "allow all on secrets",
},
},
});
var examplePolicy = new Vault.Policy("example", new()
{
Name = "example_policy",
PolicyContents = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Hcl),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.VaultFunctions;
import com.pulumi.vault.inputs.GetPolicyDocumentArgs;
import com.pulumi.vault.Policy;
import com.pulumi.vault.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = VaultFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.rules(GetPolicyDocumentRuleArgs.builder()
.path("secret/*")
.capabilities(
"create",
"read",
"update",
"delete",
"list")
.description("allow all on secrets")
.build())
.build());
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.name("example_policy")
.policy(example.hcl())
.build());
}
}
resources:
examplePolicy:
type: vault:Policy
name: example
properties:
name: example_policy
policy: ${example.hcl}
variables:
example:
fn::invoke:
function: vault:getPolicyDocument
arguments:
rules:
- path: secret/*
capabilities:
- create
- read
- update
- delete
- list
description: allow all on secrets
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>def get_policy_document(namespace: Optional[str] = None,
rules: Optional[Sequence[GetPolicyDocumentRule]] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(namespace: Optional[pulumi.Input[str]] = None,
rules: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentRuleArgs]]]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput> Note: This function is named GetPolicyDocument in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
public static Output<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
fn::invoke:
function: vault:index/getPolicyDocument:getPolicyDocument
arguments:
# arguments dictionaryThe following arguments are supported:
- namespace String
- rules List<Property Map>
getPolicyDocument Result
The following output properties are available:
- Hcl string
- The above arguments serialized as a standard Vault HCL policy document.
- Id string
- The provider-assigned unique ID for this managed resource.
- Rules
List<Get
Policy Document Rule> - Namespace string
- Hcl string
- The above arguments serialized as a standard Vault HCL policy document.
- Id string
- The provider-assigned unique ID for this managed resource.
- Rules
[]Get
Policy Document Rule - Namespace string
- hcl String
- The above arguments serialized as a standard Vault HCL policy document.
- id String
- The provider-assigned unique ID for this managed resource.
- rules
List<Get
Policy Document Rule> - namespace String
- hcl string
- The above arguments serialized as a standard Vault HCL policy document.
- id string
- The provider-assigned unique ID for this managed resource.
- rules
Get
Policy Document Rule[] - namespace string
- hcl str
- The above arguments serialized as a standard Vault HCL policy document.
- id str
- The provider-assigned unique ID for this managed resource.
- rules
Sequence[Get
Policy Document Rule] - namespace str
- hcl String
- The above arguments serialized as a standard Vault HCL policy document.
- id String
- The provider-assigned unique ID for this managed resource.
- rules List<Property Map>
- namespace String
Supporting Types
GetPolicyDocumentRule
- Capabilities List<string>
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - Path string
- A path in Vault that this rule applies to.
- Allowed
Parameters List<GetPolicy Document Rule Allowed Parameter> - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- Denied
Parameters List<GetPolicy Document Rule Denied Parameter> - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - Description string
- Description of the rule. Will be added as a comment to rendered rule.
- Max
Wrapping stringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- Min
Wrapping stringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- Required
Parameters List<string> - A list of parameters that must be specified.
- Subscribe
Event List<string>Types - A list of event types to subscribe to when using
subscribecapability.
- Capabilities []string
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - Path string
- A path in Vault that this rule applies to.
- Allowed
Parameters []GetPolicy Document Rule Allowed Parameter - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- Denied
Parameters []GetPolicy Document Rule Denied Parameter - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - Description string
- Description of the rule. Will be added as a comment to rendered rule.
- Max
Wrapping stringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- Min
Wrapping stringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- Required
Parameters []string - A list of parameters that must be specified.
- Subscribe
Event []stringTypes - A list of event types to subscribe to when using
subscribecapability.
- capabilities List<String>
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path String
- A path in Vault that this rule applies to.
- allowed
Parameters List<GetPolicy Document Rule Allowed Parameter> - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied
Parameters List<GetPolicy Document Rule Denied Parameter> - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description String
- Description of the rule. Will be added as a comment to rendered rule.
- max
Wrapping StringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- min
Wrapping StringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- required
Parameters List<String> - A list of parameters that must be specified.
- subscribe
Event List<String>Types - A list of event types to subscribe to when using
subscribecapability.
- capabilities string[]
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path string
- A path in Vault that this rule applies to.
- allowed
Parameters GetPolicy Document Rule Allowed Parameter[] - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied
Parameters GetPolicy Document Rule Denied Parameter[] - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description string
- Description of the rule. Will be added as a comment to rendered rule.
- max
Wrapping stringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- min
Wrapping stringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- required
Parameters string[] - A list of parameters that must be specified.
- subscribe
Event string[]Types - A list of event types to subscribe to when using
subscribecapability.
- capabilities Sequence[str]
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path str
- A path in Vault that this rule applies to.
- allowed_
parameters Sequence[GetPolicy Document Rule Allowed Parameter] - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied_
parameters Sequence[GetPolicy Document Rule Denied Parameter] - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description str
- Description of the rule. Will be added as a comment to rendered rule.
- max_
wrapping_ strttl - The maximum allowed TTL that clients can specify for a wrapped response.
- min_
wrapping_ strttl - The minimum allowed TTL that clients can specify for a wrapped response.
- required_
parameters Sequence[str] - A list of parameters that must be specified.
- subscribe_
event_ Sequence[str]types - A list of event types to subscribe to when using
subscribecapability.
- capabilities List<String>
- A list of capabilities that this rule apply to
path. For example, ["read", "write"]. - path String
- A path in Vault that this rule applies to.
- allowed
Parameters List<Property Map> - Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
- denied
Parameters List<Property Map> - Blacklists a list of parameter and values. Any values specified here take precedence over
allowed_parameter. See Parameters below. - description String
- Description of the rule. Will be added as a comment to rendered rule.
- max
Wrapping StringTtl - The maximum allowed TTL that clients can specify for a wrapped response.
- min
Wrapping StringTtl - The minimum allowed TTL that clients can specify for a wrapped response.
- required
Parameters List<String> - A list of parameters that must be specified.
- subscribe
Event List<String>Types - A list of event types to subscribe to when using
subscribecapability.
GetPolicyDocumentRuleAllowedParameter
GetPolicyDocumentRuleDeniedParameter
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.
