HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Manage HCP Vault Dedicated

Manage tenants with Vault namespaces

  • 19min
  • |
  • HCP
  • Vault

HashiCorp Vault provides several options for providing applications, teams, or even separate lines of business access to dedicated resources in Vault. For example, you could enable multiple kv (key/value) secret engines using different paths, or use policies to restrict access to specific prefixes within a single secret engine.

An additional method for providing dedicated resources in a Vault deployment are namespaces. All instances of Vault start with the root namespace. With Vault Enterprise and HCP Vault Dedicated, customers can create additional namespaces to allow great isolation of resources. This allows Vault administrators to implement a Vault-as-a-Service model allowing each group using Vault to manage their own secret engines, auth methods, and policies. Most importantly, each group is restricted to work only with the namespace they have been granted access to.

Note

With Vault Community Edition, all plugins are enabled in the root namespace. Additional namespaces cannot be created.

In this tutorial, you will create multiple namespaces, enable plugins, and create policies to demonstrate the isolation capabilities of namespaces.

Prerequisites

Overview

Namespaces are isolated environments that functionally create "Vaults within a Vault." They have separate login paths, and support creating and managing data isolated to their namespace. This functionality enables you to provide Vault as a service to tenants, allowing each tenant to manage resources within their own namespace.

A tenant, relative to namespaces, is any logical group within your organization that needs to utilize Vault Dedicated. Your Vault design will help dictate how you define a tenant. For example, a tenant may be a specific team such as your front end, or back end development teams. Additionally, you could design Vault around departments, separate lines-of-business, or specific applications where a tenant is your inventory application or marketing automation application.

HCP Vault Dedicated admin namespace

When working with Vault Dedicated, you will start your configuration in the admin namespace. This namespace is created during the deployment of your Vault Dedicated cluster and provides a similar experience to Vault Enterprise clusters that utilize nested namespaces.

Note

For Vault Dedicated clusters, the root namespace is reserved for platform operations and is not customer accessible. Visit HCP Vault Dedicated Constraints and Known Issues page for more information.