How to audit Vault paths

I’m not specifically talking about the “audit log” feature of Vault, but what this old Vault mailing list post describes:

Did anything like this get added to Vault as a feature, either in F/OSS or Enterprise versions? I have a client that is requesting the ability to determine “who” (machine or user) can access a given path. Something like: “Given path X, users b, c, d, and e have update access, users b, c have create access, users b, c, d, e, and g have read access”, etc.

Thanks! :slight_smile:

Nothing like that has been added, because there is no “explicite link” between a “user” and a “policy” - it all depends what auth method is used, and even with that, what attributes get extracted.

Depending on how your auth engines are set up, this could be simple ( eg: userpass ) or very complicated ( JWT with Attributes and multiple policy templates ).

As an example - Userpass with groups:

  • User x, belongs to group A
  • All users have policy U
  • group A has policy G
  • policy A + policy G has access to the following.

As a more complex example from one of mine, we use JWT Auth for gitlab pipelines - as well as LDAP for users. From LDAP, users have full access to /my-secrets/[usename]/*. GitLab pipelines authenticate using JWT’s ( they are a “user” ). Using information from the JWT, the runners have read access to :


As well as post access to auth/approle/[namespace-id]/secret-id to generate secret-id’s

So it becomes unique to your customers environment.

1 Like