Using Vault to store personal secret

Hi everyone,

While developing our project, each team member uses their own API key. That key is personal and must not be shared with anybody (incl. admins and management).

Currently, each developer exposes their own key by setting up an environment variable on their dev machine. Testing and production systems do the same, respectively exposing the testing and production API keys through the same environment variable.

Can this use case be handled using Vault instead of using environment variables? Specifically, can Vault be configured to return a different secret value depending on the user currently logged in? Could you point me to some documentation describing the corresponding setup?


  • Sylvain

If you want to do this with the built-in KV secrets engine in Vault, each user secret would have to live at a different path.

You’d need to build a custom plugin for the kind of behaviour you’re talking about.

It isn’t the best use of Vault but if you already have Vault for something else it’s worth it.

You’d have to use templated policies to map the entity to an individual path in a store. See the first example of mapping a single entity to a path. Now it isn’t exactly the same request that responds with a different answer, but each user has a unique path that they can request a normalized “key” from that would return a personal “value”.

@maxb , @aram , thanks for the replies.

Using templated policies is indeed a possible solution.