Vault admin policy restriction

Is there a way to configure the vault such that :

  1. Each user will have their own credentials to login to vault and create / read the secrets.
  2. An admin cannot read/write the secrets that other users have created it.


A while back I wrote up a guide to help get started with policy creation that you may find useful.

I believe examples 7 and 8 would be what you’re after.

1 Like

Generally, “admin” would imply someone who has full access to change Vault policies. You can’t prevent such a person from reading other secrets, as even if you wrote a policy to do that, they could remove the policy themselves.

Thank you very much , I will take a look at the KB you have created.

In my design, all permissions are linked to AD groups and we are auditing groups changes with Splunk. So, if a group is changed, our security team is going to receive a security alert.