Auditing vault last access date

In vault, is there a way to identify people who logged in/retrieved any secret in last 30 days?

As a direct command no, but you can enable the audit logs and there is a wealth of information from it :

1 Like

The activity reporting in later Vault versions is capable of exporting the entity IDs that have used Vault within each calendar month: /sys/internal/counters - HTTP API | Vault | HashiCorp Developer

It can’t answer “last 30 days” but if your requirements are a bit flexible, it might be of use.

2 Likes