We need to enable the Rest API for a user and set up least privilege to access 'secrets' data for a single vault in the read/only and r/w modes.
Release : 4.1
API keys are limited to the scope of the user to which they belong. In order to assign a user a role in a vault, the user needs to be assigned Session Manager role "Secrets Management", or some other role that includes privilege "Enable Secrets Management". Once that is the case you can assign the user to a vault under the Vault Managers tab in the Vault editor. For read-only you assign the "SecretViewer" role. For r/w modes you assign the "SecretOwner" role. The latter does include Add and Delete privileges, not just Update. PAM does not have a role that only allows Read and Update at this time. The API key also needs to have the "Secrets Management" role assigned. With this role it will have access to the vaults configured for the user.