From c811f64d0bf63619170bfd9b3b622bf66c552f94 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Mon, 11 Sep 2023 12:10:40 -0400
Subject: [PATCH] Add production ACL policies

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 README.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/README.md b/README.md
index 0368e79..a5449e2 100644
--- a/README.md
+++ b/README.md
@@ -140,3 +140,43 @@ Note: the `--id` should be identical to your `--key_name` in the previous step.
     ```bash
     ./notation verify <myRegistry>/<myRepo>@<digest> -v
     ```
+
+## Vault ACL Policy
+
+This signing plugin (`notation-hc-vault`) interacts with the following paths:
+
+ - read on `secret/data/:keyid`
+ - update on `transit/sign/:keyid`
+
+Thus the following ACL policy would be required for this plugin:
+
+```hcl
+path "secret/data/:keyid" {
+    capabilities = ["read"]
+}
+
+path "transit/sign/:keyid" {
+    capabilities = ["update"]
+}
+```
+
+This plugin's helper `key-helper` for rotating signed certificates
+interacts with the following paths:
+
+ - create or update on `secret/data/:keyid`
+ - update on `transit/keys/:keyid/import`
+
+Thus the following ACL policy would be required for this helper:
+
+```hcl
+path "secret/data/:keyid" {
+    capabilities = ["create", "update"]
+}
+
+path "transit/keys/:keyid/import" {
+    capabilities = ["update"]
+}
+```
+
+Refer to the Hashicorp Vault [tutorial for policies](https://developer.hashicorp.com/vault/tutorials/policies/policy-templating)
+for more information on using policies.