Two people to approve reading a secret?

Hi all,
I’m relatively newbie with vault (only using it as PKI till now).

What I want is to store some secrets in vault, where:

  • anyone of a group of people can create these secrets, but
    (or create new versions of the secret, or read the secret metadata)
  • I need is to have two people to agree when the secret needs to be read.
    (in the more general situation it would be N of M, instead of 2).

Is there some feature in vault that can accomplish this, or would I have to implement it myself on top of vault?


Sounds like MFA in Vault Enterprise:

Unsupported legacy in OSS:

You might want to take a look at Control Groups (this is an Enterprise feature):


1 Like