Configure HCP Vault Secrets permissions
Using HCP's role based access control, you can configure and manage HCP Vault Secrets permissions granularly at the application level or more broadly across projects and across the organization level. Assigning permissions at the application level follows the principal of least privilege and restricts access to other HCP services.
If a user or service principal is assigned multiple roles across various levels (organization, project, application), HCP's role precedence enforces the most elevated role assigned to the user.
The following table lists HCP Vault Secrets roles and permissions at the organization and project level. It is a recommended practice to used the App manager role for at least one HCP user or service principal in the project(s) where HCP Vault Secrets is used to manage integrations.
HCP Vault Secrets organization and project permissions | Viewer | Contributor | Admin | App manager | App secrets reader | Integration manager | Integration reader |
---|---|---|---|---|---|---|---|
Create and edit applications | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
View applications | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Delete applications | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
Create secrets and new versions of secrets | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
Read secrets | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Edit secrets | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
Delete secrets | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
View audit logs | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Add existing users or service principals to applications | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Remove users or service principals from applications | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
Create and manage sync integrations | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ |
Connect sync integrations | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
Disconnect sync integrations | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
Read rotating secrets | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Create rotating secrets | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Edit rotating secrets | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
Delete rotating secrets | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
Generate dynamic secrets credentials | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Create dynamic secrets | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Edit dynamic secrets | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Delete dynamic secrets | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
The following table lists HCP Vault Secrets roles and permissions at the application level. It is a recommended practice to assign application level access to HCP user(s) or service principal(s) who only have an application level role assigned to them when possible.
HCP Vault Secrets app permissions | App manager | App secrets reader | Integration manager | Integration reader |
---|---|---|---|---|
Create and edit applications | ✅ | ❌ | ❌ | ❌ |
View applications | ✅ | ✅ | ❌ | ❌ |
Delete applications | ✅ | ❌ | ❌ | ❌ |
Create static secrets and new versions of secrets | ✅ | ❌ | ❌ | ❌ |
Read static secrets | ✅ | ✅ | ❌ | ❌ |
Edit static secrets | ✅ | ❌ | ❌ | ❌ |
Delete static secrets | ✅ | ❌ | ❌ | ❌ |
View audit logs | ❌ | ❌ | ❌ | ❌ |
Add existing users or service principals to applications | ✅ | ❌ | ❌ | ❌ |
Remove users or service principals from applications | ✅ | ❌ | ❌ | ❌ |
Create sync integrations | ❌ | ❌ | ✅ | ❌ |
Manage sync integrations | ❌ | ❌ | ✅ | ❌ |
Delete sync integrations | ❌ | ❌ | ✅ | ❌ |
Connect sync integrations | ❌ | ❌ | ✅ | ❌ |
Disconnect sync integrations | ❌ | ❌ | ✅ | ❌ |
Get integrations | ❌ | ❌ | ✅ | ✅ |
List integrations | ❌ | ❌ | ✅ | ✅ |
Create integrations | ✅ | ❌ | ✅ | ❌ |
Update integrations | ✅ | ❌ | ✅ | ❌ |
Delete integrations | ✅ | ❌ | ✅ | ❌ |
Read rotating secrets | ✅ | ✅ | ✅ | ❌ |
Create rotating secrets | ❌ | ❌ | ✅ | ❌ |
Edit rotating secrets | ✅ | ❌ | ✅ | ❌ |
Delete rotating secrets | ✅ | ❌ | ✅ | ❌ |
Generate dynamic secrets credentials | ✅ | ✅ | ✅ | ❌ |
Create dynamic secrets | ❌ | ❌ | ✅ | ❌ |
Edit dynamic secrets | ❌ | ❌ | ✅ | ❌ |
Delete dynamic secrets | ✅ | ❌ | ✅ | ❌ |
Assign role to user, service principal or group
HCP administrators can assign the HCP Vault Secrets app manager or secrets reader
role using the HCP Portal. Refer to the Terraform Registry for information on
using the vault_secrets_app_iam_binding
resource.
Open a browser and navigate to the HCP Portal.
Log in with an HCP IAM user with the HCP admin role.
Select the organization you want to assign permissions for.
Click Access control (IAM).
Click Add new assignment.
(Optional) Click the Type pulldown menu and select Group, Service principal, or User.
Type the name(s) in the Search field, and select the user, group, or service principal you are granting access to.
Click the Select service pulldown menu and select Secrets.
Click Select role(s) and select the role you want to provide.
Verify the new role(s) under Review changes for....
Click Save.
The user, group, or service principal now has permissions based on the selected role.
Role names and role IDs
When managing access control configuration using the HCP Terraform provider or public APIs, you must properly format the role IDs you reference. The table below lists role names and their corresponding role IDs.
Role Name | Role ID |
---|---|
App Manager | roles/secrets.app-manager |
App Secrets Reader | roles/secrets.app-secret-reader |
Integration Manager | roles/secrets.integration-manager |
Integration Reader | roles/secrets.integration-reader |