Skip to main content

Default IAM Configuration

Learn about the default IAM configuration

Vault comes with a default IAM configuration. This default configuration defines a list of roles with access control capabilities and policies suitable for most use cases. These roles can be used as the basis for creating your configuration, for example, by copying and amending roles to match the needs of your use cases.

  1. Admin - A special built-in user typically used by the DevOps team or system admin to control the Vault instance. This user has access to all APIs but, by default, is blocked from accessing data in production. You can control this user's access to data using the PVAULT_SERVICE_ADMIN_MAY_READ_DATA environment variable. Also, you define the user's API key using the PVAULT_SERVICE_ADMIN_API_KEY environment variable.
  2. Security admin - a user that controls the list of users, roles and policies of who can access Vault. For example, lead developers who operate the vault.
  3. Developer - developers who write applications that use the vault.
  4. CI/CD - the pipeline that deploys applications that use the vault. When employed in GitOps and IAC, the pipeline typically configures collections and IAM.
  5. External application - a public service, for example, a public web server accessible by end users. This service may collect sensitive information, for example, during registration or sign-up, but should have limited read access to avoid exposing sensitive information.
  6. Internal application - an application used by trusted persons, for example, support or administration, to manage and administrate users.
  7. Privileged service - internal high-privileged services. For example, an identity service that manages all end users.
  8. Token consumer service - a service that requires access to minimal amounts of sensitive data, typically by detokenizing it. For example, a mailing service that needs to detokenize the target email and first and last names.

Access Control - Capabilities

This table shows how the default configuration assigns capabilities to users.

CapabilityPurposeSec. adminDevsVault schedulerCI/CDExt. appInt. appPriv. serviceToken consumer
CapIAMReaderRead the list of usersVVV
CapIAMWriterSet users and API keysVV
CapKMSReaderGet the status of the KMSVVVV
CapKMSWriterRotate keysVVV
CapConfvarReaderRead log levelVVV
CapConfvarWriterWrite log levelVV
CapErrorWriterTrigger an artificial error for testing purposesVV
CapClusterInfoReaderGet cluster information, including cache propagationVVV
CapInfoReaderGet system informationVVV
CapSystemGCRunnerDelete archived objects and tokensVV
CapCollectionsReaderRead collection definitionsVV
CapCollectionsWriterWrite collection definitionsVV
CapCodeReaderRead bundlesVV
CapCodeWriterWrite (add, update and delete) bundlesV
CapTypesReaderRead data typesVV
CapTypesWriterWrite (and and delete) data typesV
CapDataWriterWrite dataVVV
CapDataCreatorOnly create new data objectsVVV
CapDataUpdaterOnly update data objectsVVV
CapDataDeleterOnly delete data objectsVVV
CapDataSearcherSearch dataVVV
CapTokensReaderRead token metadataVVV
CapTokensWriterTokenize and write token metadataVVV
CapObjectsReaderRead objects by ID or queryVVV
CapObjectsWriterWrite objectsVVV
CapObjectsListerRead objectsVVV
CapObjectsCreatorOnly create new data objectsVVV
CapObjectsUpdaterOnly update data objectsVVV
CapObjectsDeleterOnly deleter objectsVVV


Policies provide applications and services with access to data.

The default IAM configuration includes a list of policies that define operations and the sensitivity of the data type they can access. These policies simplify the definition of policies for each role. The name of each policy is derived using this template: Pol[Allow|Deny][Read|WriteDelete|Search|Tokenize|Detokeniz|All][Meta|Low|Med|High|PCI|All]. For example, the PolAllowReadLow policy allows read access to low-sensitivity data types, while the PolDenyAllHigh policy denies all operations on high-sensitivity data types.

Data sensitivities are defined based on data type as follows:

  • Low – gender, email.mask, and phone_number.mask
  • Medium – date_of_birth, zip_code_us, us_bank_routing, ssn.mask, ban.mask, and cc_number.mask
  • High – email, ssn, phone_number, name, address, us_bank_account_number, ban, cc_holder_name , and cc_expiration_string
  • PCI – cc_number and cc_cvv
  • Meta (all built-in properties) – _*

Note: standard data types aren't covered by any of these policies, as the sensitivity depends on the specific use.

Using these policies, each application and service is assigned policies that match its use case.

# Humans
capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
"CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
"CapInfoReader", "CapSystemGCRunner"]
policies = ["PolDenyAllAll"]

capabilities = ["CapIAMReader", "CapKMSWriter", "CapConfvarReader", "CapClusterInfoReader",
"CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapCodeReader", "CapTypesReader"]
policies = ["PolDenyAllAll"]

# Management entities
capabilities = ["CapKMSReader", "CapKMSWriter", "CapSystemGCRunner"]
policies = ["PolDenyAllAll"]

capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
"CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
"CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapCodeReader", "CapTypesReader"]
policies = ["PolDenyAllAll"]

## Services and applications
capabilities = ["CapObjectsReader", "CapObjectsLister", "CapObjectsWriter", "CapDataSearcher"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]

capabilities = ["CapObjectsReader", "CapObjectsLister", "CapObjectsWriter", "CapDataSearcher"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowReadHigh", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]

capabilities = ["CapObjectsReader", "CapObjectsLister", "CapObjectsWriter", "CapDataSearcher", "CapTokensReader",
"CapTokensWriter", "CapTokensDetokenizer"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowAllHigh"]

capabilities = ["CapTokensDetokenizer"]
policies = ["PolAllowDetokenizeAll", "PolDenyDetokenizePci"]


role = "SecurityAdmin"

role = "Developer"

role = "VaultScheduler"

role = "CICD"

role = "ExternalApplication"

role = "InternalApplication"

role = "PrivilegedService"

role = "TokensConsumer"