Hide password field in a secret inside vault

rgoel111 · October 31, 2022, 9:41am

Hi ,

I have a vault running on my production server . there are multiple secrets stored in vault inside secret folder.
secret of type user-password.

below is secret structure in vault UI :

secrets → userpassword-> secretName

where secretName has fields like username , password

I have created a developer policy to read all secrets iniside secrets

path “secrets/*” {
capabilities = [“read”]
}

but here I am able to see password inside secretName

Can i mask only password field for this policy so that user can just see username but not password ?

maxb · October 31, 2022, 9:57am

No, this is not possible, as the Vault policy system only acts on URL paths. It cannot filter the returned fields of individual secrets.

If you have information of different confidentiality levels, it needs to go in separate secrets.

rgoel111 · October 31, 2022, 10:53am

thanks @maxb.
do we have a way to map a vault policy to a particular single user ?
example:
If i create a secret with name secretName in vault using curl. and i at runtime create a policy to read only this secretName. I want to map this role to the person who creates this secret

maxb · October 31, 2022, 11:31am

I am sorry, but your question is not precise enough to have a clear answer.

Yes - There are various ways of mapping policies in Vault, some of which are suitable for applying to single users, but the specifics will depend on other details of your authentication and user management setup.

No - Vault does not have any way to grant policy based on who created a secret.