Vault Configuration: Specialized Roles for Administrators

We aim to configure our Vault instance to allow various administrators to have specialized permissions. Specifically, we want each type of administrator to be able to manage only their own credentials, while the Vault Administrator should be responsible for broader administrative tasks (Policy creation and binding, role management etc.) without having the capability to manage or view any credentials.
I hope this clearly outlines our requirements. We would be immensely grateful for your expertise and advice on achieving this particular configuration in Vault.

An administrator capable of policy creation and binding can, by definition, give themselves access to do anything at all, so you cannot effectively prevent them from accessing secrets. You can only trust them, and monitor audit logs.

Thanks for answering.
So, it appears that we cannot restrict a Vault Administrator who has the capability to manage all aspects of Vault from viewing credentials. Is it indeed impossible to create an administrative role that can perform all administrative tasks but is restricted from seeing credentials?

No, @maxb tell you. Administrator can give themselves permissions.
You must have audit and process to control what administrator do.
For example, in my compagny, all configuration are managed by terraform, updated with merge request in Gitlab and audited by others people. And all commands/files logs pushed in Splunk. There are process (open a ticket, …) to update configuration. If someone try something, an alert is pushed in the Security Team mail/dashboard.

Thank you @Joffrey for sharing your insights and practical solutions.

It’s clear that while we can’t restrict a Vault Administrator from accessing credentials, we can implement a robust auditing and process control system to monitor activities.
Is it possible to configure Vault in such a way that a Vault Administrator is restricted from viewing, editing and deleting credentials? Furthermore, if the Vault Administrator tries to grant themselves permission to view credentials, can we set up an alert mechanism to notify us of this action immediately?

I hope you revoked the root key.
Remember, users can only do what they can do. You must configure policies to give the permission to read a secret. If you don’t, they can’t.
about alert mechanism, I don’t know if the new event mechanism can help you (@maxb ?) In my compagny, we use externals tools (like Splunk) to monitor activities (auditd + logs files)

@Joffrey Thank you for your response. I understand the importance of revoking the root key and configuring policies appropriately. However, my query was more focused on a specific scenario involving Vault Administrators.

To clarify: Is there a way to configure Vault such that a Vault Administrator, who has the ability to manage policies and roles, is restricted from viewing sensitive credentials? And if the Administrator attempts to modify their permissions to gain access to these credentials, is there a built-in or external mechanism that would alert us immediately?

Your expertise on this matter would be highly valuable.

@lemanhesenzade2002 Are you using AI tools to reword your messages? They give me that impression. You should consider not doing that, as to be honest, it makes me less likely to respond… I’m only doing so now because I’m stuck waiting for a bus.

Depends on what you mean by “restricted”. Yes you can avoid giving them access to credentials in the policy as originally written, but no, if you give them the ability to change policies they can change the policies affecting their own accounts.

You can turn on Vault audit logging but you would have to build a system to analyse those logs and raise alerts yourself. It would require substantial bespoke work. It would also not be “immediate”, merely “somewhat soon after, provided the external system isn’t having an outage, and the rogue Administrator doesn’t manage to sabotage the audit log transfer”.

Thank you @maxb for your response. I am using AI for reword my questions because of more detailed and understandable questions. I understand that we can create policy to avoid giving them access to credentials(it is possible that restrict some capability in administrator account) , but they can change policy of own accounts ?
Have I understood correctly?
And we must do audit logging and alerts.
I wrote this message without using AI.

Just wanted to add that Vault Enterprise integrates with Sentinel in ways that might be of interest (e.g., Role or Endpoint Governing Policies for paths containing more sensitive data / credentials).

There is sometimes a place for repeating back what you have been told in your own words, and asking for confirmation you have understood correctly. But you have done it repeatedly, and have hardly changed the wording of what you have been told in the first place.

This is tiresome and time-wasting behaviour, so I am choosing to not respond further.

Thank you for recommendation.

1 Like

Thank you for answer.