Auditing vault last access date

venkat · June 17, 2023, 5:04am

In vault, is there a way to identify people who logged in/retrieved any secret in last 30 days?

alain · June 17, 2023, 12:04pm

As a direct command no, but you can enable the audit logs and there is a wealth of information from it :

maxb · June 17, 2023, 12:58pm

The activity reporting in later Vault versions is capable of exporting the entity IDs that have used Vault within each calendar month: /sys/internal/counters - HTTP API | Vault | HashiCorp Developer

It can’t answer “last 30 days” but if your requirements are a bit flexible, it might be of use.

Topic		Replies	Views
Get trace logs of secrets accessed by a particular user(entity) Vault vault	3	1661	November 18, 2021
History of operations over the secret Vault	3	2954	April 4, 2022
Purge certain days older audit logs automatically Vault vault	1	205	December 21, 2022
Vault Audit logs stopping daily/not logging Vault	19	2402	October 31, 2022
Auditing and Logging Vault	2	176	May 9, 2024