Disallow root token to access the users secrets

Is it possible that the root operator, the service maintainer, doesn’t have read access to the secrets created by the the users?

If you mean with “root operator” any root token then: no. The root token can do anything within Vault. It should be used with extreme care.
It is recommended to create tokens with only the required capabilities through policies and use those instead of the root token. When taking this approach it is very much possible to achieve your goal!

1 Like

You cannot limit the root token.

You should not be using the root token beyond setting up your system. The best practice is to revoke the root token shortly after you setup your own user’s token and policies.

1 Like