Secrets Access Control
Controlling who can access which secrets.
Secrets Access Control
Controlling who can access which secrets.
Access control enforcement is deployment-specific. This repo does not ship a complete policy engine for the permission strings shown below.
Permission model
Secret-level permissions
vault:secrets:read- Read secret valuevault:secrets:write- Create/update secretsvault:secrets:delete- Delete secretsvault:secrets:rotate- Trigger rotation
Path-based policies
These resource strings are logical policy patterns (often based on secret names), not Vault API paths or secret IDs.
{
"statements": [
{
"effect": "allow",
"actions": ["vault:secrets:read"],
"resources": ["secrets/production/*"]
},
{
"effect": "deny",
"actions": ["vault:secrets:*"],
"resources": ["secrets/production/root-*"]
}
]
}
Access patterns
Role-based
{
"role": "developer",
"secrets": {
"development/*": ["read"],
"staging/*": ["read"],
"production/*": []
}
}
Service-based
{
"service": "payment-service",
"secrets": {
"secrets/stripe-*": ["read"],
"secrets/db-payment": ["read"]
}
}
Conditions
Time-based
{
"conditions": {
"time": {
"after": "09:00",
"before": "18:00",
"timezone": "UTC"
}
}
}
IP-based
{
"conditions": {
"sourceIp": ["10.0.0.0/8", "192.168.1.0/24"]
}
}
Emergency access
Break-glass procedures:
- Request emergency access
- Approval from multiple admins
- Time-limited access granted
- Full audit trail