Now we need to create a policy which restricts Jerakia to using only the encryption and decryption endpoints.

In order to create this policy, we'll create a new file, jerakia_policy.hcl, and then import it into Vault using the policy-write Vault command:

# jerakia_policy.hcl 
path "transit/decrypt/jerakia" {
   policy = "write"
 }
 path "transit/encrypt/jerakia" {
   policy = "write"
 }
$ ./vault policy-write jerakia jerakia_policy.hcl