What is a "capability" within Vault policies?

A capability within Vault policies refers to an allowed action that can be performed by a token or identity. This concept is central to how HashiCorp Vault manages access control and permissions. Each token or identity that is granted a policy can perform specific operations based on the capabilities defined within that policy.

For instance, capabilities can include actions like creating, reading, updating, or deleting secrets, depending on what is permitted by the policies attached to the token. By explicitly defining capabilities in this way, Vault ensures that the principle of least privilege is respected, allowing for fine-grained access control to sensitive data. This model enhances security by limiting what users or applications can do based on their assigned roles and responsibilities, which is a fundamental aspect of Vault's architecture.