Vault KMS Service

I’m new on the discussion, and I just discovered the Vault KMS solution.
It would be really great for my application but I’d like to address a few questions that I didn’t find answers.

  • What logs in the Vault KMS looks like ? Is it possible for a given public key, for an admin user to see what messages the related private key signed ?
  • Can we set permissions so a IAM user can generate keys but without admin rights to see the private keys ?
  • Is there anyway to implement a plug-in that says “Sign with hashicorp” if I want the user of my app to sign manually ? (Just like Metamask)
    Thank you for your answers !