Get trace logs of secrets accessed by a particular user(entity)

I would like to know if there is any way to get trace logs of secrets accessed by a particular user. For example we have a lot of static secrets and we would like to reset those passwords when an employee leaves the company or the project, so that we can reset those passwords when disabling his account or when changing their policies etc.

Any sort of solution internal or a third party plugin would be appriciated.

Also, to add more details, there could be hunderds of secrets that a user may have access to, but we would only like to get a list of those that he actually viewed, so that we will only need to reset that subset of secrets rather than all of them.

The first thing to do here is to setup auditing, if you haven’t already. If you haven’t then see this guide: Audit Devices | Vault by HashiCorp

You can leverage a tool stack such as ELK. Kibana could be used to generate your reports.

Note that this is not retroactive and you’ll only be able to see the data that retained in your logging tools. Anything that has aged out will not be returned in your query. There may be methods to summarize and retain older data but that’s beyond my knowledge.

Hi Jeffsanicola,

Thanks for your response, but that seems like an extreme solution to this problem, we will consider it if nothing else works. And yes we do already have audit devices setup and we are sending the logs to cloudwatch etc.

But we actually don’t want detailed logs, we just want to go to an entity and check how many and which secrets it has accessed in the past, so that when we disable their user, then we may also be able to rotate/reset the secrets that he had accessed. To us it seemed like this might be a common thing, but we have researched it quite a bit and haven’t found much, so maybe others are doing something else for this, if you or anyone else have a way in which you guys or your organizations manage this then please let us know, that would be quite helpful to us, I believe.

There isn’t anything built in that would do what you want, and I’d imagine there probably isn’t anything “off the shelf” either as this is in the realm of custom business logic, so likely to be different wherever something similar might be wanted.

As mentioned it should be possible to implement by following the audit logs, with some external data store (to record what has been accessed) and a custom application which implements whatever rules you want.

There are probably lots of cases to consider and decide what to do about. For example, if someone accesses a static secret which is the changed should that be included in the list of accesses or not (and how do you know it is changed - you could just edit part of a secret but keep some fields the same)? Is there a time limit for how long something is included in your list? What about dynamic secrets?