Configure HCP Vault Secrets permissions

Using HCP's role based access control, you can configure and manage HCP Vault Secrets permissions granularly at the application level or more broadly across projects and across the organization level. Assigning permissions at the application level follows the principal of least privilege and restricts access to other HCP services.

If a user or service principal is assigned multiple roles across various levels (organization, project, application), HCP's role precedence enforces the most elevated role assigned to the user.

The following table lists HCP Vault Secrets roles and permissions at the organization and project level. It is a recommended practice to used the App manager role for at least one HCP user or service principal in the project(s) where HCP Vault Secrets is used to manage integrations.

HCP Vault Secrets organization and project permissions	Viewer	Contributor	Admin	App manager	App secrets reader
Create and edit applications	❌	✅	✅	✅	❌
View applications	✅	✅	✅	✅	✅
Delete applications	❌	✅	✅	✅	❌
Create secrets and new versions of secrets	❌	✅	✅	✅	❌
Read secrets	✅	✅	✅	✅	✅
Edit secrets	❌	✅	✅	✅	❌
Delete secrets	❌	✅	✅	✅	❌
View audit logs	❌	❌	✅	❌	❌
Add existing users or service principals to applications	❌	❌	✅	❌	❌
Remove users or service principals from applications	❌	❌	✅	❌	❌
Create and manage sync integrations	✅	✅	✅	❌	❌
Connect sync integrations	✅	✅	✅	✅	❌
Disconnect sync integrations	✅	✅	✅	✅	❌
Read rotating secrets	✅	✅	✅	✅	✅
Create rotating secrets	❌	✅	✅	❌	❌
Edit rotating secrets	❌	✅	✅	✅	❌
Delete rotating secrets	❌	✅	✅	✅	❌
Generate dynamic secrets credentials	✅	✅	✅	✅	✅
Create dynamic secrets	❌	✅	✅	❌	❌
Edit dynamic secrets	❌	✅	✅	❌	❌
Delete dynamic secrets	❌	✅	✅	✅	❌

The following table lists HCP Vault Secrets roles and permissions at the application level. It is a recommended practice to assign application level access to HCP user(s) or service principal(s) who only have an application level role assigned to them when possible.

Note

Integration usage (Sync, Auto-rotating, and Dynamic) for the App manager role is coming soon.

HCP Vault Secrets app permissions	App manager	App secrets reader
Create and edit applications	✅	❌
View applications	✅	✅
Delete applications	✅	❌
Create static secrets and new versions of secrets	✅	❌
Read static secrets	✅	✅
Edit static secrets	✅	❌
Delete static secrets	✅	❌
View audit logs	❌	❌
Add existing users or service principals to applications	✅	❌
Remove users or service principals from applications	✅	❌
Create sync integrations	❌	❌
Manage sync integrations	❌	❌
Delete sync integrations	❌	❌
Connect sync integrations	❌	❌
Disconnect sync integrations	❌	❌
Read rotating secrets	✅	✅
Create rotating secrets	❌	❌
Edit rotating secrets	✅	❌
Delete rotating secrets	✅	❌
Generate dynamic secrets credentials	✅	✅
Create dynamic secrets	❌	❌
Edit dynamic secrets	❌	❌
Delete dynamic secrets	✅	❌

Assign role to user, service principal or group

HCP administrators can assign the HCP Vault Secrets app manager or secrets reader role using the HCP Portal. Refer to the Terraform Registry for information on using the vault_secrets_app_iam_binding resource.

Open a browser and navigate to the HCP Portal.
Log in with an HCP IAM user with the HCP admin role.
Select the organization you want to assign permissions for.
Click Access control (IAM).
Click Add new assignment.
(Optional) Click the Type pulldown menu and select Group, Service principal, or User.
Type the name(s) in the Search field, and select the user, group, or service principal you are granting access to.
Click the Select service pulldown menu and select Secrets.
Click Select role(s) and select the role you want to provide.
Verify the new role(s) under Review changes for....
Click Save.

Open a browser and navigate to the HCP Portal.
Log in with an HCP IAM user with the HCP admin role.
Select the project you want to assign permissions for.
Click Access control (IAM).
Click Add new assignment.
(Optional) Click the Type pulldown menu and select Group, Service principal, or User.
Type the name(s) in the Search field, and select the user, group, or service principal you are granting access to.
Click the Select service pulldown menu and select Secrets.
Click Select role(s) and select the role you want to provide.
Verify the new role(s) under Review changes for....
Click Save.

HCP administrators or users with the App manager role at the app level can assign the HCP Vault Secrets app manager or secrets reader role at the app level using the HCP Portal.

Open a browser and navigate to the HCP Portal.
Log in with an HCP IAM user with the HCP admin role.
Select the project you want to assign permissions for.
Click Vault Secrets.
Click the app you want to assign permissions for.
Click Role assignments.
(Optional) Click the Type pulldown menu and select Group, Service principal, or User.
Type the name(s) in the Search field, and select the user, group, or service principal you are granting access to.
Click the Select service pulldown menu and select Secrets.
Click Select role(s) and select the role you want to provide.
Verify the new role(s) under Review changes for....
Click Save.

The user, group, or service principal now has permissions based on the selected role.

Role names and role IDs

When managing access control configraton using the HCP Terraform provider or public APIs, you must properly format the role IDs you reference. The table below lists role names and their corresponding role IDs.

Role Name	Role ID
App Manager	`roles/secrets.app-manager`
App Secrets Reader	`roles/secrets.app-secret-reader`