Secrets inventory reporting

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Limitations for beta

The secrets inventory reporting is available for:

A new HCP Vault Dedicated cluster running on Amazon Web Services
Key/value secrets engine version 1 and version 2

Integrating Vault as your secrets management can increase security, and reduce operational overhead to protect sensitive data. However, it is critical to set the right permissions to control access to those data.

Vault secrets inventory reporting increases visibility into the secrets Vault manages through the UI and API. The reporting services use telemetry to collect and surface data about when secrets are being accessed, modified, and destroyed.

Enable secrets inventory reporting

Before you can enable reporting in your Vault clusters, HashiCorp has to enable a feature flag for your organization. Fill out the form to participate in the beta program.

Log into the HCP Portal.
Navigate to the HCP project you want to create an HCP Vault Dedicated cluster in.
Select Vault Dedicated, and click Create cluster and make your cluster selections.
Tip
Refer to the create a new HCP Vault Dedicated cluster page for more details.
Select the Enable reporting toggle button.
Click Create cluster.

Once the cluster is up and running, you can start storing secrets.

View secrets inventory report

The admin role has access to secrets inventory reporting. For non-admin users, you need the secrets inventory report reader role for Vault reporting service in addition to view the report.

Tip

Refer to the access management page to learn more about assigning IAM roles.

In the HCP Portal, select Vault Dedicated.
Select Secrets Inventory.
You can filter the data using the quick filters. Also, you can order the Last accessed and Last modified timestamps in ascending or descending dates.

Available column data

You can select or deselect the column fields to display. Secrets inventory reporting dashboard example

The table below lists available column fields and their description.

Table Column	Description
Secret name	The secret key of the data. Type of secret can be static, dynamic, or auto-rotating.
Engine	Type of secrets engine (KV v1, KV v2, AWS, GCP, Azure, database, transit, etc.)
Namespace	The Vault namespace where the secrets created in.
Mount path	The path of the secrets engine or authentication method has enabled at.
Created	The timestamp of secret creation and entity ID of user who created the secret.
Last modified	The timestamp of when the secret was last modified, and the entity ID of who modified the secret such as changing the secret values, deleting or undeleting a secret.
Last accessed	The timestamp of when the secret was last accessed (read or used).
Versions	The version of the secrets associated with KV v2 secrets.
Next rotation	The next rotation date of the secret based on the rotation policy.
TTL	How long a secret remains valid based on time-to-live (TTL) policy.
Deleted	Deleted or destroyed secrets.

Download secrets inventory report

You can export the secrets inventory report data with filters applied.

From the Secrets Inventory page, click Export.
Select the desired file format: JSON, or CSV.
Click Continue.
Click Download records, and select the download location.

Note

You can export up to 1,000 rows of data. When the filtered report exceeds 1,000 rows of data, it returns an error.