fixes for enrolling recovery keys

Harish Kumar · Harish Kumar · commit 9838fd02e32f · 2026-01-02T11:32:17.000Z
* add machine id entity metadata for a node in the vault
* Add policy so node token can write (not update or read) recovery key
  in vault kv
diff --git a/mkosi.images/terraform/share/terraform/pki.tf b/mkosi.images/terraform/share/terraform/pki.tf
@@ -264,6 +264,7 @@ resource "vault_cert_auth_backend_role" "node" {
       vault_policy.node-cert-self-renew.name,
       vault_policy.ssh-host-self-signer.name,
       vault_policy.consul-gossip.name,
+      vault_policy.node-recovery-keys.name,
     ]
 }
 
@@ -277,6 +278,22 @@ resource "vault_policy" "node-cert-self-renew" {
     EOP
 }
 
+resource "vault_policy" "node-recovery-keys" {
+    name = "node-recovery-keys"
+
+    policy = <<-EOP
+        # Allow nodes to create recovery keys for their own machine-id only (write-once, no read/update)
+        # No read allowed because node does not need to read its own recovery key,
+        #   it is only needed to be read by admins to recover the node
+        # No update allowed to avoid compromised node may update recovery key
+        #  Any update of recovery keys (even for rotating recovery keys) need admin actions
+        #  For which admin key should be used
+        path "secrets/mangos/recovery-keys/{{identity.entity.metadata.machine_id}}/*" {
+            capabilities = ["create"]
+        }
+    EOP
+}
+
 resource "vault_identity_group" "vault-servers" {
   name        = "vault-servers"
   type        = "internal"
diff --git a/resources/mangosctl/mangosctl.sh b/resources/mangosctl/mangosctl.sh
@@ -489,6 +489,11 @@ do_enroll() {
 	entity_name=$(vault write -field=name identity/lookup/entity alias_name=${HOSTNAME}.mangos alias_mount_accessor=${node_auth_accessor})
 	echo $entity_name
 
+	step "Setting machine-id as entity metadata"
+	machine_id=$(cat /etc/machine-id)
+	vault write identity/entity/name/${entity_name} metadata=machine_id="${machine_id}"
+	greenln Success
+
 	for group in ${!groups[@]}
 	do
 		do_step "Adding host to group '${group}'" chronic do_entity addgroup ${entity_name} ${group}
@@ -1046,7 +1051,11 @@ do_bootstrap() {
 	CONSUL_HTTP_TOKEN=${consul_mgmt_token} \
 	do_step "Final Terraform run" run_terraform_apply
 
-	do_step "Enrolling recovery keys for encrypted partitions" enroll_recovery_keys "$(systemd-creds decrypt /var/lib/private/vault.root_token)"
+	echo
+	echo "Bootstrap complete! Next steps:"
+	echo "  1. Run: mangosctl sudo enroll -g vault-server -g consul-server -g nomad-server 127.0.0.1"
+	echo "  2. This will enroll the bootstrap node's identity and recovery keys"
+	echo
 }
 
 set_agent_token() {
