Secrets inventory reporting

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Limitations for beta

The secrets inventory reporting is available for:

New and existing HCP Vault Dedicated clusters running on Amazon Web Services or Microsoft Azure
Key/value secrets engine version 1 and version 2
Database secrets engines

Prerequisites

To view the inventory reports, make sure to enable the reporting on your HCP Vault Dedicated clusters.

View secrets inventory report

The admin role has access to secrets inventory reporting. For non-admin users, you need the secrets inventory report reader role for Vault reporting service in addition to view the report.

Tip

Refer to the access management page to learn more about assigning IAM roles.

In the HCP Portal, select Vault Dedicated.
Select Secrets Inventory.
You can filter the data using the quick filters. Also, you can order the Last accessed and Last modified timestamps in ascending or descending dates.

Available column data

You can select or deselect the column fields to display. Secrets inventory reporting dashboard example

The table below lists available column fields and their description.

Table Column	Description
Secret name	The secret key of the data. Type of secret can be static, dynamic, or auto-rotating.
Engine	Type of secrets engine (KV v1, KV v2, AWS, GCP, Azure, database, transit, etc.)
Namespace	The Vault namespace where the secrets created in.
Mount path	The path of the secrets engine or authentication method has enabled at.
Created	The timestamp of secret creation and entity ID of user who created the secret.
Last modified	The timestamp of when the secret was last modified, and the entity ID of who modified the secret such as changing the secret values, deleting or undeleting a secret.
Last accessed	The timestamp of when the secret was last accessed (read or used).
Versions	The version of the secrets associated with KV v2 secrets.
Next rotation	The next rotation date of the secret based on the rotation policy.
TTL	How long a secret remains valid based on time-to-live (TTL) policy.
Deleted	Deleted or destroyed secrets.

Saved views

Saved views are a combination of filters and fields applied to the secrets inventory report to return a specific set of data. When you enable reporting on your cluster, it creates three default saved views:

Static secrets not accessed in the last 90 days
Upcoming secret rotations in the next 30 days
Long‑lived secrets that have not been updated in more than 90 days

You can rearrange those saved views and modify them to your specific organization's needs. As an administrator, you can edit and modify existing saved views which are available to any report reader or other admins on the Vault cluster to use. Project members with the report reader role will be able to use saved views that admins create but cannot modify them.

Create a saved view

Create a saved view by making selections from the Role, Filters or Fields drop-downs.

Click on saved view to the right of the Fields drop-down.
Enter a name that describes the data it is surfacing and a description of how to use that saved view.
Click Save. Your saved view will appear in the carousel in the last position.

Modify a saved view

Click the three dots to the right of the saved view title.
Select Rename.
Edit the report.
Click Update.

Rearrange your saved views by clicking on the three dots to the right of the saved view title and selecting Rearrange. Drag and drop the saved views in your preferred order and click save.

Download secrets inventory report

You can export the secrets inventory report data with filters applied.

From the Secrets Inventory page, click Export.
Select the desired file format: JSON, or CSV.
Click Continue.
Click Download records, and select the download location.

Note

You can export up to 1,000 rows of data. When the filtered report exceeds 1,000 rows of data, it returns an error.