What the connector discovers

• Mounts & Secret Engines

  sys/mounts inventory: KV (v1/v2), Transit, Database, AWS, PKI, Cubbyhole, TOTP, SSH and more — with mount options and versions.

---

• Auth Methods

  sys/auth inventory: AppRole, Kubernetes, AWS/GCP, OIDC/JWT, LDAP, Token, GitHub, Radius… with tuned configuration.

---

• Identities, Entities & Aliases

  identity/entity and entity-alias mapping (Kubernetes SA, AppRole, cloud principals) to owners/teams; group membership.

---

• Policies & Capabilities

  ACL policies, Sentinel / OPA (if used), capabilities per path (create, read, update, delete, list, sudo); policy drift over time.

---

• Tokens, Leases & Dynamic Secrets

  Token metadata (TTL, policies, orphan), leases for database/AWS engines, renewal behavior, revocation windows and usage bursts.

---

• Namespaces (Enterprise)

  Namespace hierarchy and delegated admin; isolation of mounts/auth/policies per namespace.

---

• Audit, Replication & Health

  Audit devices and state, DR/Perf replication status, seal/health endpoints for operational risk visibility.

Vault is the **source of secrets and encryption** for modern systems. ClarioSec turns mounts, policies and leases into **runtime governance**: drift-aware risk scoring, proactive hygiene (rotation/revocation windows) and **explainable** decisions tied to controls.

Connect HashiCorp Vault

ClarioSec connects to the **HTTP API** on your Vault cluster (self-hosted or HCP). Use a **read-only policy** token or an **AppRole** or **Kubernetes** login dedicated to discovery.

• 1) Endpoint & TLS

  Provide VAULT_ADDR (https://vault.yourdomain:8200). We verify TLS (custom CA supported).

• 2) Authentication

  Recommended: AppRole with a limited policy; or Token with read-only policy; or Kubernetes SA JWT (k8s auth).

• 3) Minimal policy (example)

  Capabilities: read/list on sys/mounts, sys/auth, sys/policies/acl, sys/leases/*, identity/*, sys/replication/*, sys/audit, sys/health; list/read selected secret engines metadata (no secret values).

• 4) Namespaces (Enterprise)

  If using namespaces, provide base namespace and scope; ClarioSec iterates sub-namespaces per policy.

• 5) Add in ClarioSec

  In ClarioSec, open the Vault connector and paste VAULT_ADDR + auth (Token/AppRole/Kubernetes). Credentials are stored per-tenant.

High-value signals via sys/identity/secret engine endpoints (no secret payloads):

• sys/mounts, sys/auth (engines/methods & options)
• sys/policies/acl, capabilities-self on representative paths
• identity/entity, identity/entity-alias, identity/group/* (ownership graph)
• sys/leases/* (dynamic secrets), token/lookup-self metadata (TTL, orphan, policies)
• sys/replication/*, sys/audit, sys/health, sys/seal-status

• Wildcard paths & policy sprawl

  Policies granting broad capabilities (e.g., write on secret/*, transit/keys/*) without constraints.

• Long-lived tokens & stale leases

  Tokens without expiry (orphan) and dynamic secrets not renewed/rotated on schedule.

• Weak auth method posture

  Kubernetes/AppRole with lax constraints (bound claims, CIDRs), permissive OIDC/LDAP mappings to high-privilege policies.

• Unpinned audit/replication

  Audit devices disabled or misconfigured; DR/Perf replication degraded, risking blind spots.

• Minimize policies & narrow paths with owners in the loop
• Automated rotation windows for keys/tokens/leases
• Pre-execution approvals for sensitive path access (JIT)
• Narratives mapped to SOC 2 / GDPR / ISO / AI Act for every decision