Create an administrative namespace
Grant access to a predefined subset of privileged system backend endpoints in the Vault API with an administrative namespace.
HCP Vault Dedicated has a built-in administrative namespace
HCP Vault Dedicated clusters include an administrative namespace (admin) by default.
For more information on managing namespaces with HCP Vault Dedicated, refer to the
HCP Vault Dedicated namespace considerations
guide.
Before you start
- You must have Vault Enterprise 1.15+ installed and running.
- You must have access to your Vault configuration file.
- You must have permission to create and manage namespaces for your Vault instance.
Step 1: Create your namespace
Use the namespace create CLI command to create a new namespace:
For example, to create a namespace called "ns_admin" under the root namespace:
Step 2: Give the namespace admin permission
To create an administrative namespace, set the administrative_namespace_path
parameter in your Vault configuration with the absolute path of your new
namespace. We recommend setting the namespace path with the other string
assignments in your configuration file. For example:
Step 3: Verify the new permissions
To verify permissions for the administrative namespace, compare API responses from a restricted endpoint from your new namespace and another namespace without elevated permissions.
If you do not already have a namespace you can use for testing, create a test namespace called "ns_test" with the
namespace createCLI command:Use the
monitorCLI command to call the/sys/monitorendpoint from your test namespace:You should see an unsupported path error:
Now use the
monitorcommand to call thesys/monitorendpoint from your administrative namespace:You should see log data from your Vault instance streaming to the terminal:
Next steps
- Follow the Secure multi-tenancy with namespaces tutorial to provide additional security and ensure teams can self-manage their own environments.
- Read more about managing namespaces in Vault Enterprise.