Configure HCP Vault Secrets permissions
HCP user accounts inherit permissions based on their roles at either the organization or project level.
When a user account is assigned multiple roles, the permission set from each role is additive. For
example, if userA
has the HCP organization admin
role, and is then given the
viewer
role in the project where HCP Vault Secrets is configured, the effective permission
for userA
in HCP Vault Secrets will be admin
.
The following table lists HCP Vault Secrets permissions based on Role-Based Access Control (RBAC).
HCP Vault Secrets permissions | Viewer | Contributor | Admin | App Manager | App Secrets Reader |
---|---|---|---|---|---|
Create and edit applications | ❌ | ✅ | ✅ | ✅ | ❌ |
View applications | ✅ | ✅ | ✅ | ✅ | ✅ |
Delete applications | ❌ | ✅ | ✅ | ✅ | ❌ |
Create secrets and new versions of secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Read secrets | ✅ | ✅ | ✅ | ✅ | ✅ |
Edit secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
Delete secrets | ❌ | ✅ | ✅ | ✅ | ❌ |
View audit logs | ❌ | ❌ | ✅ | ❌ | ❌ |
Add existing users or service principals to applications | ❌ | ❌ | ✅ | ❌ | ❌ |
Remove users or service principals from applications | ❌ | ❌ | ✅ | ❌ | ❌ |
Create and manage sync integrations | ❌ | ✅ | ✅ | ❌ | ❌ |
Connect sync integrations | ❌ | ✅ | ✅ | ✅ | ❌ |
Disconnect sync integrations | ❌ | ✅ | ✅ | ✅ | ❌ |
Review the Vault Secrets security model documentation for additional information.
Assign role to user
HCP administrators can assign the HCP Vault Secrets app manager or secrets view
role using the HCP Portal. Refer to the Terraform Registry for information on
using the vault_secrets_app_iam_binding
resource.
Before you begin, verify the user has an account in your HCP organization. If they are not part of the HCP organization, invite them before proceeding.
Open a browser and navigate to the HCP Portal.
Log in with an HCP IAM user with the HCP admin role.
Select the project you want to assign permissions for.
Click Access control (IAM).
Click Add new assignment.
(Optional) Click the Type pulldown menu and select Group, Service principal, or User.
Click into the textbox, type the name(s) in the Search field, and select the user, group, or service principal you are granting access to.
Click the Select service pulldown menu and select Secrets.
Click Select role(s) and select the role you want to provide.
Verify the new role(s) under Review changes for....
Click Save.
The user, group, or service principal now has permissions based on the selected role.