Is there a way to configure the vault such that :
- Each user will have their own credentials to login to vault and create / read the secrets.
- An admin cannot read/write the secrets that other users have created it.
Thanks
Ma.
A while back I wrote up a guide to help get started with policy creation that you may find useful.
I believe examples 7 and 8 would be what you’re after.
1 Like
Generally, “admin” would imply someone who has full access to change Vault policies. You can’t prevent such a person from reading other secrets, as even if you wrote a policy to do that, they could remove the policy themselves.
Thank you very much , I will take a look at the KB you have created.
In my design, all permissions are linked to AD groups and we are auditing groups changes with Splunk. So, if a group is changed, our security team is going to receive a security alert.