Audit logs of lease creation / secret check-out

Vault
1

Is there a specific setting to enable outputting an event for when a user leases/checks out a secret?

We seem to be getting just about every other event type, but not one that says User X checked out Secret Y. We even get the lease expiry event, but not the creation event!

Without this event, we have no way of knowing which user used the secret, which seems like a poor thing for a Secrets Management tool!

We have enabled both Syslog and File Audit devices.

2

Can you please share a bit more about your setup?

For example, when you say “checked out secret Y” are you literally referring to the LDAP secrets engine service account checkout:

Or are you using that as a general term to read a secret, for example from the KV secrets engine?

3

We are using the LDAP secrets engine Service Account library feature for this

4

Possible Vault audit logs arent actually enabled? or the log level is set to something like err?

Just tried testing locally, and for both service account checkout and role based secrets I see the entries in the audit log.

{
  "auth": {
    "accessor": "hmac-sha256:09b78b024f94ac81f6a12ec6660199731c1bf728391374cc37fcd22231ed0376",
    "client_token": "hmac-sha256:382a2e63c118fb36bac218bc47dd31236d8c71be3d9e2e517770eba30c92158d",
    "display_name": "userpass-jon",
    "entity_id": "14f9844f-fc24-42b1-40ca-63f05c858019",
    "metadata": {
      "username": "jon"
    },
    "policies": [
      "default",
      "fauxroot"
    ],
    "policy_results": {
      "allowed": true,
      "granting_policies": [
        {
          "type": ""
        },
        {
          "name": "fauxroot",
          "namespace_id": "root",
          "type": "acl"
        }
      ]
    },
    "token_policies": [
      "default",
      "fauxroot"
    ],
    "token_issue_time": "2025-12-02T12:18:45-05:00",
    "token_ttl": 2764800,
    "token_type": "service"
  },
  "request": {
    "client_id": "14f9844f-fc24-42b1-40ca-63f05c858019",
    "client_token": "hmac-sha256:024d5cac58ca84e0d9685f3bd4f4a1f5ab58b3577164766ca7db2c3bf4619a02",
    "client_token_accessor": "hmac-sha256:09b78b024f94ac81f6a12ec6660199731c1bf728391374cc37fcd22231ed0376",
    "data": {
      "ttl": null
    },
    "headers": {
      "user-agent": [
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36"
      ]
    },
    "id": "1ac54f53-72c4-23db-6dbc-5b61bea96b3b",
    "mount_accessor": "ldap_12f05f85",
    "mount_class": "secret",
    "mount_point": "ldap/",
    "mount_running_version": "v1.20.4+builtin.vault",
    "mount_type": "ldap",
    "namespace": {
      "id": "root"
    },
    "operation": "update",
    "path": "ldap/library/test/check-out",
    "remote_address": "127.0.0.1",
    "remote_port": 49774
  },
  "response": {
    "data": {
      "password": "hmac-sha256:d62b867d60d10e804d0f1b204c1550b18dbc854147fb79c9d2e139efee719643",
      "service_account_name": "hmac-sha256:18bca6c3e6f5631a009e3936b3d2b6bf4e9ccd9965777c62aa7976844108c5c7"
    },
    "mount_accessor": "ldap_12f05f85",
    "mount_class": "secret",
    "mount_point": "ldap/",
    "mount_running_plugin_version": "v1.20.4+builtin.vault",
    "mount_type": "ldap",
    "secret": {
      "lease_id": "ldap/library/test/check-out/3pJiwULeLBTa6umwLTvq8wJX"
    }
  },
  "time": "2025-12-02T17:21:47.736266Z",
  "type": "response"
}

My test environment is basic, I followed this:

With the following additions:

  • Enabled audit logging vault audit enable file file_path=vault.log
  • Added a second user named bob to the OpenLDAP config
  • Updated the Vault ldap secrets engine config to include userdn="ou=users,dc=learn,dc=example" to properly search for the user bob being added to the library
  • Added a library with the user bob
  • Enabled the userpass auth method with a user named jon (see the log example)

I was able to both read the role the tutorial creates for alice, and checkout and checkin the bob account from the library.