HashiCorp Vault permission requirements

In HashiCorp, be sure you use a policy to grant access to Vault PKI paths. To create the policy, you can use the HashiCorp Configuration Language (HCL). For more information, see https://www.vaultproject.io/docs/concepts/policies.

The HashiCorp Vault PKI application driver requires permissions to the pki path of a mounted PKI secrets engine:

Response description

HashiCorpPath

Required Permissions
pki/* Read, and list permissions
pki/config/* Read, list, create, and update permissions to allow the driver to set the CRL and OCSP addresses for the CA.
pki/intermediate/*
  • Read, list, create, and update permissions to allow the driver to generate a key pair and CSR for the CA, and install the subordinate CA certificate.
    		•
    pki/roles/* Read, list, create, and update permissions to allow the driver to create and update roles for the PKI secrets engine.