Oracle Cloud Infrastructure Documentation

Details for the Vault Service

This topic covers details for writing policies to control access to the Vault service.

Individual Resource-Types

vaults

keys

key-delegate

secrets

secret-versions

secret-bundles

Aggregate Resource-Type

secret-family

A policy that uses <verb> secret-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual secret resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in secret-family.

Supported Variables

Vault supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.

Variable Variable Type Comments
request.includePlainTextKey String Use this variable to control whether to return the plaintext key, in addition to the encrypted key, in response to a request to generate a data encryption key.
request.kms-key.id String Use this variable to control whether block volumes or buckets can be created without a Vault master encryption key.
target.boot-volume.kms-key.id String Use this variable to control whether Compute instances can be launched with boot volumes that were created without a Vault master encryption key.
target.key.id Entity (OCID) Use this variable to control access to specific keys by OCID.
target.vault.id Entity (OCID) Use this variable to control access to specific vaults by OCID.
target.secret.name String Use this variable to control access to specific secrets, secret versions, and secret bundles by name.
target.secret.ocid Entity (OCID) Use this variable to control access to specific secrets, secret versions, and secret bundles by OCID.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the use verb for the keys resource-type includes the same permissions and API operations as the read verb, plus the KEY_ENCRYPT and KEY_DECRYPT permissions and a number of API operations (Encrypt, Decrypt, and GenerateDataEncryptionKey). The manage verb allows even more permissions and API operations when compared to the use verb.

vaults
keys

key-delegate
secrets
secret-versions
secret-bundles

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListVaults VAULT_INSPECT
GetVault VAULT_READ
CreateVault VAULT_CREATE
UpdateVault VAULT_UPDATE
ScheduleVaultDeletion VAULT_DELETE
CancelVaultDeletion VAULT_DELETE
ChangeVaultCompartment VAULT_MOVE
ListKeys KEY_INSPECT
ListKeyVersions KEY_INSPECT
GetKey KEY_READ
CreateKey KEY_CREATE and VAULT_CREATE_KEY
EnableKey KEY_UPDATE
DisableKey KEY_UPDATE
UpdateKey KEY_UPDATE
ScheduleKeyDeletion KEY_DELETE
CancelKeyDeletion KEY_DELETE
ChangeKeyCompartment KEY_MOVE
GetKeyVersion KEY_READ
CreateKeyVersion KEY_ROTATE
ImportKey KEY_IMPORT and VAULT_IMPORT_KEY
ImportKeyVersion KEY_IMPORT
GenerateDataEncryptionKey KEY_ENCRYPT
Encrypt KEY_ENCRYPT
Decrypt KEY_DECRYPT
CreateSecret SECRET_CREATE and VAULT_CREATE_SECRET
UpdateSecret SECRET_UPDATE
ListSecrets SECRET_INSPECT
GetSecret SECRET_READ
ScheduleSecretDeletion SECRET_DELETE
ChangeSecretCompartment SECRET_MOVE and SECRET_UPDATE
ListSecretVersions SECRET_VERSION_INSPECT
GetSecretVersion SECRET_VERSION_READ
ScheduleSecretVersionDeletion SECRET_VERSION_DELETE and SECRET_UPDATE
CancelSecretVersionDeletion SECRET_VERSION_DELETE and SECRET_UPDATE
ListSecretBundles SECRET_BUNDLE_INSPECT
GetSecretBundle SECRET_BUNDLE_READ
RotateSecret SECRET_ROTATE