Create an administrative namespace
Grant access to a predefined subset of privileged system backend endpoints in the Vault API with an administrative namespace.
HCP Vault has a built-in administrative namespace
HCP Vault clusters include an administrative namespace (admin
) by default.
For more information on managing namespaces with HCP Vault, refer to the
HCP Vault namespace considerations
guide.
Before you start
- You must have Vault Enterprise 1.15+ installed and running.
- You must have access to your Vault configuration file.
- You must have permission to create and manage namespaces for your Vault instance.
Step 1: Create your namespace
Use the namespace create
CLI command to create a new namespace:
For example, to create a namespace called "ns_admin" under the root namespace:
Step 2: Give the namespace admin permission
To create an administrative namespace, set the administrative_namespace_path
parameter in your Vault configuration with the absolute path of your new
namespace. We recommend setting the namespace path with the other string
assignments in your configuration file. For example:
Step 3: Verify the new permissions
To verify permissions for the administrative namespace, compare API responses from a restricted endpoint from your new namespace and another namespace without elevated permissions.
If you do not already have a namespace you can use for testing, create a test namespace called "ns_test" with the
namespace create
CLI command:Use the
monitor
CLI command to call the/sys/monitor
endpoint from your test namespace:You should see an unsupported path error:
Now use the
monitor
command to call thesys/monitor
endpoint from your administrative namespace:You should see log data from your Vault instance streaming to the terminal:
Next steps
- Follow the Secure multi-tenancy with namespaces tutorial to provide additional security and ensure teams can self-manage their own environments.
- Read more about managing namespaces in Vault Enterprise.