Fine grain control on the secrets


An application with a certain role (ABC) has been associated with below policy :
path “secret/data/test/ABC_grp” {
capabilities = [“read”,“create”,“update”,“delete”,“patch”]

As expected, With ABC app token, I’m able to upload/read and so forth following data. In UI, I see these key(s)/values(s) :

I’m looking for a finer control on who can see a particular data in this path. To elaborate, another application with a different role ( ‘DEF’) cannot see key ‘fruit’ from /test/ABC_grp but can see ‘car’

How would my policy look like? BTW, I’m using for testing purpose OSS and enabled Kv2 secret engine

Appreciate help.


Sorry, you can’t. Permission are set on all data of a secret. Split your secret with 2 secrets.

It is possible using Sentinel policies. They are available in Vault Enterprise and HCP.