Configure HCP Vault Secrets permissions
You can manage HCP Vault Secrets permissions from apps in HCP Vault Secrets, or based on their roles at either the organization or project level.
Assigning roles at the application level allows organizations to follow the principal of least privilege. App based role assignments do not grant access to other HCP services.
When a user account is assigned multiple roles, the permission set from each role is additive. For
example, if userA
has the HCP organization admin
role, and is then given the
viewer
role in the project where HCP Vault Secrets is configured, the effective permission
for userA
in HCP Vault Secrets will be admin
.
The following table lists HCP Vault Secrets permissions based on Role-Based Access Control (RBAC) at the organization or project level. The recommended practice is to grant the App manager role to at least one HCP user in the project(s) where HCP Vault Secrets is used to manage integrations.
HCP Vault Secrets organization and project permissions | Viewer | Contributor | Admin | App manager | App secrets reader |
---|---|---|---|---|---|
Create and edit applications | ❌ | ✅ | ✅ | ✅ | ❌ |
View applications | ✅ | ✅ | ✅ | ✅ | ✅ |
Delete applications | ❌ | ✅ | ✅ | ✅ | ❌ |
Create secrets and new versions of secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Read secrets | ✅ | ✅ | ✅ | ✅ | ✅ |
Edit secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Delete secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
View audit logs | ❌ | ❌ | ✅ | ❌ | ❌ |
Add existing users or service principals to applications | ❌ | ❌ | ✅ | ❌ | ❌ |
Remove users or service principals from applications | ❌ | ❌ | ✅ | ❌ | ❌ |
Create and manage sync integrations | ✅ | ✅ | ✅ | ❌ | ❌ |
Connect sync integrations | ✅ | ✅ | ✅ | ✅ | ❌ |
Disconnect sync integrations | ✅ | ✅ | ✅ | ✅ | ❌ |
Read rotating secrets | ✅ | ✅ | ✅ | ✅ | ✅ |
Create rotating secrets | ❌ | ✅ | ✅ | ❌ | ❌ |
Edit rotating secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Delete rotating secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Generate dynamic secrets credentials | ✅ | ✅ | ✅ | ✅ | ✅ |
Create dynamic secrets | ❌ | ✅ | ✅ | ❌ | ❌ |
Edit dynamic secrets | ❌ | ✅ | ✅ | ❌ | ❌ |
Delete dynamic secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
The following table lists HCP Vault Secrets permissions based on Role-Based Access Control (RBAC) at the application level. The recommended practice is to grant IAM users or service principals the App secrets reader role in the HCP Vault Secrets app.
Note
Integration usage (Sync, Auto-rotating, and Dynamic) for the App manager role is coming soon.
HCP Vault Secrets app permissions | App manager | App secrets reader |
---|---|---|
Create and edit applications | ✅ | ❌ |
View applications | ✅ | ✅ |
Delete applications | ✅ | ❌ |
Create static secrets and new versions of secrets | ✅ | ❌ |
Read static secrets | ✅ | ✅ |
Edit static secrets | ✅ | ❌ |
Delete static secrets | ✅ | ❌ |
View audit logs | ❌ | ❌ |
Add existing users or service principals to applications | ✅ | ❌ |
Remove users or service principals from applications | ✅ | ❌ |
Create sync integrations | ❌ | ❌ |
Manage sync integrations | ❌ | ❌ |
Delete sync integrations | ❌ | ❌ |
Connect sync integrations | ❌ | ❌ |
Disconnect sync integrations | ❌ | ❌ |
Read rotating secrets | ✅ | ✅ |
Create rotating secrets | ❌ | ❌ |
Edit rotating secrets | ✅ | ❌ |
Delete rotating secrets | ✅ | ❌ |
Generate dynamic secrets credentials | ✅ | ✅ |
Create dynamic secrets | ❌ | ❌ |
Edit dynamic secrets | ❌ | ❌ |
Delete dynamic secrets | ✅ | ❌ |
Review the Vault Secrets security model documentation for additional information.
Assign role to User, Service Principal or Group
Before you begin, verify the user has an account in your HCP organization. If they are not part of the HCP organization, invite them before proceeding.
HCP administrators can assign the HCP Vault Secrets app manager or secrets reader
role using the HCP Portal. Refer to the Terraform Registry for information on
using the vault_secrets_app_iam_binding
resource.
Open a browser and navigate to the HCP Portal.
Log in with an HCP IAM user with the HCP admin role.
Select the organization you want to assign permissions for.
Click Access control (IAM).
Click Add new assignment.
(Optional) Click the Type pulldown menu and select Group, Service principal, or User.
Type the name(s) in the Search field, and select the user, group, or service principal you are granting access to.
Click the Select service pulldown menu and select Secrets.
Click Select role(s) and select the role you want to provide.
Verify the new role(s) under Review changes for....
Click Save.
The user, group, or service principal now has permissions based on the selected role.