Vault
/sys/capabilities-accessor
[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under/website
, are now located inhashicorp/web-unified-docs
, colocated with all other product documentation. Contributions to this content should be done in theweb-unified-docs
repo, and not this one. Changes made to/website
content in this repo will not be reflected on the developer.hashicorp.com website.
The /sys/capabilities-accessor
endpoint is used to fetch the capabilities of
the token associated with the given accessor. The capabilities returned will be
derived from the policies that are on the token, and from the policies to which
the token is entitled to through the entity and entity's group memberships.
Query token accessor capabilities
This endpoint returns the capabilities of the token associated with the given
accessor, for the given path. Multiple paths are taken in at once and the
capabilities of the token associated with the given accessor for each path is
returned. For backwards compatibility, if a single path is supplied, a
capabilities
field will also be returned.
Note
Paths that do not exist or have no capabilities return [deny]
in the response.
Method | Path |
---|---|
POST | /sys/capabilities-accessor |
Parameters
accessor
(string: <required>)
– Accessor of the token for which capabilities are being queried.paths
(list: <required>)
– Paths on which capabilities are being queried.
Sample payload
{
"accessor": "abcd1234",
"paths": ["secret/foo"]
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/capabilities-accessor
Sample response
{
"capabilities": ["delete", "list", "read", "update"],
"secret/foo": ["delete", "list", "read", "update"]
}