HashiCorp Vault Permissions Reference
This section explains the required ACL policy permissions for integrating HashiCorp Vault with SailPoint Entro.
Navigation Path
Management → Accounts & Integrations → HashiCorp Vault → Permissions Reference
Required Permissions
The following ACL configuration enables SailPoint Entro to perform metadata scanning while ensuring no secret content is exposed.
path "*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-accessor" {
capabilities = ["update"]
}
path "auth/token/accessors" {
capabilities = ["list", "sudo"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
Note
SailPoint Entro does not retrieve or decrypt secret values — all access is limited to metadata and identifiers.
Permissions Justification
| Path | Capabilities | Purpose |
|---|---|---|
* |
list, read | Allows listing and reading metadata for all paths to identify stored secrets |
auth/token/lookup-accessor |
update | Enables SailPoint Entro to manage its own token session |
auth/token/accessors |
list, sudo | Required for token accessor visibility and role validation |
auth/token/renew-self |
update | Allows SailPoint Entro to automatically renew its authentication token |
KV V2 Metadata-Only Configuration (Optional)
For organizations using KV v2 Secret Engines, you may apply a refined ACL for metadata-only access.
-
List secret engines and their paths
-
Create an ACL policy for each listed path
path "sys/mounts" { capabilities = ["read"] } path "<PATH>/metadata" { capabilities = ["list"] } path "<PATH>/metadata/*" { capabilities = ["list", "read"] } path "sys/auth" { capabilities = ["read"] } path "auth/userpass/users" { capabilities = ["list"] } path "auth/userpass/users/*" { capabilities = ["list", "read"] } path "auth/token/lookup-self" { capabilities = ["read"] } path "auth/token/renew-self" { capabilities = ["update"] } -
Replace
<PATH>with the relevant KV mount path (e.g.,secret/).
Access Summary
- All operations are read-only
- No secret data retrieved or stored
- Tokens and ACL policies encrypted within SailPoint Entro's Worker
- TLS 1.2+ required for all API communication
Compliance & Security Notes
-
Integration complies with SOC 2 Type II, ISO 27001, and GDPR
-
Supports metadata-only scanning for KV v2 Secret Engines
-
All data encrypted in transit and at rest (TLS 1.2+, AES-256)