Vault

Vault provides centralized, well-audited privileged access and secret management for mission-critical data whether you deploy systems on-premises, in the cloud, or in a hybrid environment.

- From What is Vault?

Authentication backends

AppRole

The approle auth method allows machines or apps to authenticate with Vault-defined roles.

- From upstream AppRole documentation

Setting	Value
Path	`/approle`

Roles

`consul-connect`

Consul Connect is currently the only user of AppRole.

Setting	Value
Token max TTL	24h
Token TTL	1h

Secrets engines/backends

Consul

The Consul secrets engine generates Consul API tokens dynamically based on Consul ACL policies.

- From upstream Consul secrets engine documentation

Setting	Value
Path	`/consul`

Roles

Role name	Service Identities	Policies
`consul-api`		`consul-api`
`management`		`global-management`
`vault-server`	`vault`

Policies

Name	Rules
`change-own-password`	`path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_97304432.name}}" {` `capabilities = ["update"]` `allowed_parameters = {` `"password" = []` `}` `}`
`consul-client-issuer`	`path "pki-svc/issue/consul-client" {` `capabilities = ["update"]` `}`
`consul-connect-special-privileges`	`path "/consul-connect-root-ca/root/sign-self-issued" {` `capabilities = [ "sudo", "update" ]` `}`
`consul-gossip`	`path "secrets/mangos/consul/gossip" {` `capabilities = ["read"]` `}`
`consul-managed-connect-pki`	`#` `# "1. Allow Consul to create and manage both PKI engines:"` `#` `path "/sys/mounts/consul-connect-root-ca" {` `capabilities = [ "create", "read", "update", "delete", "list" ]` `}` `path "/sys/mounts/consul-connect-intermediate-dc1-ca" {` `capabilities = [ "create", "read", "update", "delete", "list" ]` `}` `path "/sys/mounts/consul-connect-intermediate-dc1-ca/tune" {` `capabilities = [ "update" ]` `}` `#` `# "2. Allow Consul full use of both PKI engines:"` `#` `path "/consul-connect-root-ca/" {` `capabilities = [ "create", "read", "update", "delete", "list" ]` `}` `path "/consul-connect-intermediate-dc1-ca/" {` `capabilities = [ "create", "read", "update", "delete", "list" ]` `}`
`consul-server-issuer`	`path "pki-svc/issue/consul-server" {` `capabilities = ["update"]` `}`
`lookup-self`	`path "auth/token/lookup-self" {` `capabilities = ["update"]` `}`
`node-cert-self-renew`	`path "pki-nodes/sign/node-cert-self" {` `capabilities = ["update"]` `}`
`nomad-client-issuer`	`path "pki-svc/issue/nomad-client" {` `capabilities = ["update"]` `}`
`nomad-management`	`path "nomad/creds/management" {` `capabilities = ["read"]` `}`
`nomad-server-issuer`	`path "pki-svc/issue/nomad-server" {` `capabilities = ["update"]` `}`
`nomad-workload`	`path "consul/creds/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_namespace}}" {` `capabilities = ["read"]` `}` `path "secrets/tenants/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_namespace}}/" {` `capabilities = ["create", "update", "list", "read", "delete"]` `}` `path "secret/nomad/data/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_namespace}}/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_job_id}}/" {` `capabilities = ["read"]` `}` `path "secret/nomad/data/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_namespace}}/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_job_id}}" {` `capabilities = ["read"]` `}` `path "secret/nomad/data/{{identity.entity.aliases.auth_oidc_3fe582a1.metadata.nomad_namespace}}/" {` `capabilities = ["list"]` `}` `path "secret/nomad/data/" {` `capabilities = ["list"]` `}`
`renew-self`	`path "auth/token/renew-self" {` `capabilities = ["update"]` `}`
`ssh-as-anyone`	`path "ssh/config/ca" {` `capabilities = ["read"]` `}` `path "ssh/sign/any-user" {` `capabilities = ["create", "update"]` `}`
`ssh-host-self-signer`	`path "ssh/config/ca" {` `capabilities = ["read"]` `}` `path "ssh/sign/host-self" {` `capabilities = ["create", "update"]` `}`
`ssh-host-signer`	`path "ssh/config/ca" {` `capabilities = ["read"]` `}` `path "ssh/sign/host" {` `capabilities = ["create", "update"]` `}`
`vault-issuer`	`path "pki-svc/issue/vault-server" {` `capabilities = ["update"]` `}`
`vault-managed-connect-pki`	`# "1. Allow Consul to read both PKI mounts and to manage the` `# intermediate PKI mount configuration"` `path "/sys/mounts/consul-connect-root-ca" {` `capabilities = [ "read" ]` `}` `path "/sys/mounts/consul-connect-intermediate-dc1-ca" {` `capabilities = [ "read" ]` `}` `path "/sys/mounts/consul-connect-intermediate-dc1-ca/tune" {` `capabilities = [ "update" ]` `}` `# "2. Allow Consul read-only access to the root PKI engine, to` `# automatically rotate intermediate CAs as needed, and full use` `# of the intermediate PKI engine"` `path "/consul-connect-root-ca/" {` `capabilities = [ "read" ]` `}` `path "/consul-connect-root-ca/root/sign-intermediate" {` `capabilities = [ "update" ]` `}` `path "/consul-connect-intermediate-dc1-ca/*" {` `capabilities = [ "create", "read", "update", "delete", "list" ]` `}`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vault

Authentication backends

AppRole

Roles

`consul-connect`

Secrets engines/backends

Consul

Roles

Policies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally