HCP Vault Secrets permissions
HCP user accounts inherit permissions based on their roles at either the organization or project level.
When a user account is assigned multiple roles, the permission set from each role is additive. For
example, if userA
has the HCP organization admin
role, and is then given the
viewer
role in the project where HCP Vault Secrets is configured, the effective permission
for userA
in HCP Vault Secrets will be admin
.
The following table lists HCP Vault Secrets permissions based on Role-Based Access Control (RBAC).
HCP Vault Secrets permissions | Viewer | Contributor | Admin | App Manager | App Secrets Reader |
---|---|---|---|---|---|
Create and edit applications | ❌ | ✅ | ✅ | ✅ | ❌ |
View applications | ✅ | ✅ | ✅ | ✅ | ✅ |
Delete applications | ❌ | ✅ | ✅ | ✅ | ❌ |
Create secrets and new versions of secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Read secrets | ✅ | ✅ | ✅ | ✅ | ✅ |
Edit secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Delete secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
View audit logs | ❌ | ❌ | ✅ | ❌ | ❌ |
Add existing users or service principals to applications | ❌ | ❌ | ✅ | ❌ | ❌ |
Remove users or service principals from applications | ❌ | ❌ | ✅ | ❌ | ❌ |
Create and manage sync integrations | ❌ | ✅ | ✅ | ❌ | ❌ |
Connect sync integrations | ❌ | ✅ | ✅ | ✅ | ❌ |
Disconnect sync integrations | ❌ | ✅ | ✅ | ✅ | ❌ |
You can now assign the App Manager and App Secrets Reader roles to Users, Service Principals, and Groups at the Project Level using the IAM tab in the UI.
How you can do this via Terraform HashiCorp Cloud Platform (HCP) Provider
Currently, the App Manager and App Secrets Reader roles are available through the Terraform HashiCorp Cloud Platform (HCP) Provider to be assigned at both the project and app levels.
While the user can assign a role to a user or group at the app level via Terraform HashiCorp Cloud Platform (HCP) Provider, with no role assigned at the project level you cannot navigate to these resources on the project from the UI. As such, if no role is assigned at the project level please ensure the user or group you're assigning it to only accesses resources via the API or the SDK. Use the policy resource or binding resource to assign a fine grained role to the principal of your choice.
Review the Project level Terraform Provider documentation for additional information on how to use the Terraform Provider for project level assignment.
Review the Vault Secrets security model documentation for additional information.
Assign permissions to users
Refer to the users page to learn how to invite users and assign roles.
The service principals page describes how to create a service principal.