A Shamir Secret holder is responsible for being available to unseal vault when starting it up.
- Vault Binary
- GPG Key
- Help unseal Vault
Use the Vault client and your Shamir secret key to unseal Vault.$ vault unseal
The Vault Admin is responsible for ensuring the vault service and its backend are available. They also manage the bringup process in the event of an outage, including coordination of the shamir secret holders during the process of unsealing the vault.
-
SSH access to VMs
Vault admins may occassionally require ssh access to the underlying operating system. To verify you have access, execute the following:# Clone the vault repository $ git clone foo # Execute an ansible ping to ensure you have ssh access $ ./runner.sh ansible-ping -i inventories/dev
-
Access to remote Docker daemon
The remote Docker daemons are protected via TLS certificates and as a result you must have the following files in place to connect:~/.docker/ca.pem
~/.docker/cert.pem
~/.docker/key.pem
Verify that you have access by running the following:
$ DOCKER_HOST=<docker_hostname>:2376 docker info
-
Configure Secret Backends
Vault admins configure secret backends when necessary... -
Ensure Vault Service is Available
Vault Admins ensure the the Vault service and underlying infrastructure are up and available...
The Global Policy Admin is responsible for creating, updating, and deleting vault global namespace policies. Vault policies are HCL documents that describe what parts of Vault a user is allowed to access.
- Access to port 8200 of the vault servers
- Global Policy Admin
# --------------------------------------------------------------------- # policy-global-policy_admin.hcl # --------------------------------------------------------------------- # Allow global policy admins to CRUDL all policies path "sys/policy/*" { capabilities = ["read", "write", "update", "delete", "list"] }
- Manage Namspace Admins
- Manage Global Policies
The Namespace Policy Admin is responsible for creating, updating, and deleting vault namespace policies. Vault policies are HCL documents that describe what parts of Vault a user is allowed to access.
- Vault binary/library
- Access to port 8200 of the vault servers
- Namespace Admin
# --------------------------------------------------------------------- # policy-<namespace>-policy_admin.hcl # --------------------------------------------------------------------- # Allow <namespace> policy admins to CRUDL all <namespace> policies path "sys/policy/<namespace>/*" { capabilities = ["read", "write", "update", "delete", "list"] }
A Secret Reader is responsible for reading and listing a secret.
- policy---read
# --------------------------------------------------------------------- # policy-<namespace>-<secret>-read.hcl # --------------------------------------------------------------------- # Allow a secret reader to RL a secret path "<backend>/<namespace>/<secret>" { capabilities = ["read","list"] }
- Access to port 8500 of the Vault servers
Vault is served over port 8500 so ensure you have access to that port on the Vault servers from whereever the vault binary/library will be run. - Vault binary
A Secret Maintainer is responsible for creating, updating, and deleting vault namespace policies. Vault policies are HCL documents that describe what parts of Vault a user is allowed to access.
- policy---write
# --------------------------------------------------------------------- # policy-<namespace>-<secret>-write.hcl # --------------------------------------------------------------------- # Allow secret maintainer to CUD a secret path "<backend>/<namespace>/<secret>" { capabilities = ["create","update","delete"] }
- Access to port 8500 of the Vault servers
Vault is served over port 8500 so ensure you have access to that port on the Vault servers from whereever the vault binary/library will be run. - Vault binary