Two people to approve reading a secret?

Vault
1

Hi all,
I’m relatively newbie with vault (only using it as PKI till now).

What I want is to store some secrets in vault, where:

  • anyone of a group of people can create these secrets, but
    (or create new versions of the secret, or read the secret metadata)
  • I need is to have two people to agree when the secret needs to be read.
    (in the more general situation it would be N of M, instead of 2).

Is there some feature in vault that can accomplish this, or would I have to implement it myself on top of vault?

Thanks

2

Sounds like MFA in Vault Enterprise: https://www.vaultproject.io/docs/enterprise/mfa/index.html

Unsupported legacy in OSS: https://www.vaultproject.io/docs/auth/mfa/

3

You might want to take a look at Control Groups (this is an Enterprise feature): https://learn.hashicorp.com/vault/identity-access-management/iam-control-groups

Regards,
Jim

2 Likes