Hello. our business case is as following.
We have a backend java process that uses a private-key during its operations. since it is needed in order to sign data , it is needed in its raw version, it is saved into a plan text file that is saved on the server. yes its bad.
We wanted to know if the vault has API that can ask for a secret value (using some API we will embed into the software) that once it is asking for a secret, the vault will send a notification (slack, native-app, whatever) asking secret administrator to approve access to that secret.
along with that there will be details of the process id, machine, user and so…
that way if the backend software starts (I can process id details), and we approve the access the person who executed the software will not see the value.
of course this is not bullet proof from malicious access , but it can reduce frictions