HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Secrets inventory reporting

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Limitations for beta

The secrets inventory reporting is available for:

  • New and existing HCP Vault Dedicated clusters running on Amazon Web Services or Microsoft Azure
  • Key/value secrets engine version 1 and version 2
  • Database secrets engines
  • Certificates

Integrating Vault as your secrets management can increase security, and reduce operational overhead to protect sensitive data. However, it is critical to set the right permissions to control access to those data.

Vault secrets inventory reporting increases visibility into the secrets Vault manages through the UI and API. The reporting services use telemetry to collect and surface data about when secrets are being accessed, modified, and destroyed.

Enable secrets inventory reporting

To enable reporting on setup of a new Vault clusters, select the 'Enable Reporting' option when creating a new cluster.

  1. Log into the HCP Portal.

  2. Navigate to the HCP project you want to create an HCP Vault Dedicated cluster in.

  3. Select Vault Dedicated, and click Create cluster and make your cluster selections.

    Tip

    Refer to the create a new HCP Vault Dedicated cluster page for more details.

  4. Select the Enable reporting toggle button. Enable the inventory reporting when you create a cluster

  5. Click Create cluster.

Once the cluster is up and running, you can start storing secrets.

Enable Reporting on existing clusters

To enable reporting on existing clusters, select the 'Enable Reporting' option when editing the configuration of an existing cluster. This will scan the Vault cluster and collect telemetry about current state of Vault to populate the secret inventory report.

Note that this scanning will not work for certificates in the cluster. It is recommended that reporting be enabled for certificates at the outset of certificate cluster creation. Alternatively if certificates already exist, reporting should be enabled for that cluster and allowed to soak for 60 days before beginning to use the reporting functionality so that it is populated with certificates.

Scanning can take up to 2 hours depending on the size of the cluster and will be in an updating state where reporting is not accessible while scanning. There will be a column titled Scanned At which denotes the date and time a secret was scanned and its telemetry data added to the reporting service.

  1. Log into the HCP Portal.

  2. Navigate to the HCP project you want to create an HCP Vault Dedicated cluster in.

  3. Select Vault Dedicated, and click on the cluster you want to enable reporting for.

  4. Click on Manage and from the dropdown menu, select the Edit Congiguration option.

  5. On the cluster edit configuration screen, select the Enable reporting toggle button. Edit cluster configuration page with Enable Reporting option at the bottom

Disabling Reporting on a Cluster

Disabling reporting on a cluster is possible by following the steps below. However it is not recommended that reporting be disabled as the data will be deleted from our systems. Scanning an existing cluster multiple times will result in loss of data from the date that reporting was first disabled on the cluster, and re-enrolling the same cluster will result in

For security purposes, HashiCorp does not retain data which ahs been deleted and cannot provide a backup of reporting data once reporting has been disabled.

View secrets inventory report

The admin role has access to secrets inventory reporting. For non-admin users, you need the Report reader role for Vault reporting service in addition to view the report.

This grants access to certificate reporting as well as secret inventory reporting, and the ability to use a cluster's Saved Views but not modify them.

Tip

Refer to the access management page to learn more about assigning IAM roles.

  1. In the HCP Portal, select Vault Dedicated.

  2. Select Secrets Inventory. Secrets inventory reporting dashboard example

    You can filter the data using the saved views. Also, you can order the Last accessed and Last modified timestamps in ascending or descending dates.

Available column data

You can select or deselect the column fields to display. Secrets inventory reporting dashboard example

The table below lists available column fields and their description.

Table ColumnDescription
Secret nameThe secret key of the data. Type of secret can be static, dynamic, or auto-rotating.
EngineType of secrets engine (KV v1, KV v2, AWS, GCP, Azure, database, transit, etc.)
NamespaceThe Vault namespace where the secrets created in.
Mount pathThe path of the secrets engine or authentication method has enabled at.
CreatedThe timestamp of secret creation and entity ID of user who created the secret.
Last modifiedThe timestamp of when the secret was last modified, and the entity ID of who modified the secret such as changing the secret values, deleting or undeleting a secret.
Last accessedThe timestamp of when the secret was last accessed (read or used).
VersionsThe version of the secrets associated with KV v2 secrets.
Next rotationThe next rotation date of the secret based on the rotation policy.
TTLHow long a secret remains valid based on time-to-live (TTL) policy.
DeletedDeleted or destroyed secrets.

Saved views

Saved Views are a combination of filters and fields applied to the Secret Inventory report to return a specific set of data. There are 3 saved views by default on your cluster when reporting is enabled. Static secrets not accessed in the last 90 days, Upcoming secret rotations in the next 30 days, and Long lived secrets that have not been updated in 90+ days.

These saved views can be rearranged and modified to your specific organization's needs. As an administrator, you can edit and modify existing saved views which are available to any Report Reader or other admins on the Vault cluster to use. Project members with the Report reader role will be able to use Saved Views that admins create but cannot modify them.

Create a saved view

  1. Create a saved view by making selections from the the Secrets Engine, Filters or Fields drop downs
  2. Click on saved view to the right of the Fields drop down
  3. Give your saved view a name which describes the data it is surfacing and a description of how to use that saved view
  4. Click Save and your saved view will appear in the carousel in the last position

Modify a saved view

  1. Click on the three dots to the right of the saved view title
  2. Select Rename
  3. Make edits
  4. Click Update

Rearrange your saved views by clicking on the three dots to the right of the saved view title and selecting Rearrange. Drag and drop the saved views in your preferred order and click save.

Download secrets inventory report

You can export the secrets inventory report data with filters applied.

  1. From the Secrets Inventory page, click Export.
  2. Select the desired file format: JSON, or CSV.
  3. Click Continue.
  4. Click Download records, and select the download location.

Note

You can export up to 1,000 rows of data. When the filtered report exceeds 1,000 rows of data, it returns an error.

Edit this page on GitHub