ENABLE AND QUERY VAULT READ AUDITS
This guide shows you how to enable vault read-access auditing and query the resulting audit trail.
Enable auditing on a new vault
Pass --audit-reads when creating the vault:
$ swamp vault create local_encryption my-secrets --audit-readsINF vault·create Created vault: "my-secrets" ("Local Encryption")The vault configuration will include auditReads: true:
id: 9fb93509-4e26-4278-9d48-49aeb19af35a
name: my-secrets
type: local_encryption
config:
auto_generate: true
base_dir: /path/to/repo
createdAt: "2026-07-13T20:53:54.367Z"
auditReads: trueEnable auditing on an existing vault
Open the vault configuration file and add auditReads: true:
$ swamp vault edit my-secretsAdd the field at the top level of the YAML:
auditReads: trueReads from this vault will be recorded from this point forward.
Query the audit trail
Use swamp vault audit-trail to see recorded reads:
$ swamp vault audit-trailINF vault·audit-trail 2 vault read(s):
INF vault·audit-trail "2026-07-13T20:54:21.586Z" "my-secrets" ("local_encryption")/"api-key" by "cli:vault-read-secret"
INF vault·audit-trail "2026-07-13T20:55:31.276Z" "my-secrets" ("local_encryption")/"api-key" by "expression:vault-resolve"Filter by vault, key, or time range
To narrow results to a specific vault and key:
$ swamp vault audit-trail --vault my-secrets --key api-keyTo query a specific time window:
$ swamp vault audit-trail --since 2026-07-01 --until 2026-07-13To limit the number of entries returned:
$ swamp vault audit-trail --limit 10Refer to the vaults reference for the full list of options and the audit entry format.
For background on how vault read-access auditing relates to the command-level audit system, see The Audit System.