Skip to content

HashiCorp Vault Permissions Reference

This section explains the required ACL policy permissions for integrating HashiCorp Vault with SailPoint Entro.


Management → Accounts & Integrations → HashiCorp Vault → Permissions Reference


Required Permissions

The following ACL configuration enables SailPoint Entro to perform metadata scanning while ensuring no secret content is exposed.

path "*" {
  capabilities = ["list", "read"]
}
path "auth/token/lookup-accessor" {
  capabilities = ["update"]
}
path "auth/token/accessors" {
  capabilities = ["list", "sudo"]
}
path "auth/token/renew-self" {
  capabilities = ["update"]
}

Note

SailPoint Entro does not retrieve or decrypt secret values — all access is limited to metadata and identifiers.


Permissions Justification

Path Capabilities Purpose
* list, read Allows listing and reading metadata for all paths to identify stored secrets
auth/token/lookup-accessor update Enables SailPoint Entro to manage its own token session
auth/token/accessors list, sudo Required for token accessor visibility and role validation
auth/token/renew-self update Allows SailPoint Entro to automatically renew its authentication token

KV V2 Metadata-Only Configuration (Optional)

For organizations using KV v2 Secret Engines, you may apply a refined ACL for metadata-only access.

  1. List secret engines and their paths

    vault secrets list -detailed | grep -E "^\S+\s+(kv|generic)"
    
  2. Create an ACL policy for each listed path

    path "sys/mounts" {
      capabilities = ["read"]
    }
    path "<PATH>/metadata" {
      capabilities = ["list"]
    }
    path "<PATH>/metadata/*" {
      capabilities = ["list", "read"]
    }
    path "sys/auth" {
      capabilities = ["read"]
    }
    path "auth/userpass/users" {
      capabilities = ["list"]
    }
    path "auth/userpass/users/*" {
      capabilities = ["list", "read"]
    }
    path "auth/token/lookup-self" {
      capabilities = ["read"]
    }
    path "auth/token/renew-self" {
      capabilities = ["update"]
    }
    
  3. Replace <PATH> with the relevant KV mount path (e.g., secret/).


Access Summary

  • All operations are read-only
  • No secret data retrieved or stored
  • Tokens and ACL policies encrypted within SailPoint Entro's Worker
  • TLS 1.2+ required for all API communication

Compliance & Security Notes

  • Integration complies with SOC 2 Type II, ISO 27001, and GDPR

  • Supports metadata-only scanning for KV v2 Secret Engines

  • All data encrypted in transit and at rest (TLS 1.2+, AES-256)