Do anyone know whether Vault support undeletable changelog/change history over the secrets? To know who did what and when.
You would need to use an Audit Device to capture this information.
Vault can maintain a set of versions for KV secrets but as far as I’m aware it does not track who. For that you’d need to inspect the audit logs.
Audit is a nice feature indeed! (on paper at least).
Yet for Vault as a storage of secrets generally (hope company staff reads this) would be so logical to track changelog on secrets.
@jeffsanicola has the right answer, just need to be careful with it.
- It does contain sensitive information.
- If you use a file device, and fill up the partition where the file exists your Vault instance will stop responding until that’s resolved. I highly recommend using at least two different audit types, socket and file … as long as one of them is viable there is no issue.