Add OpenBao admin token action

This commit is contained in:
2026-05-26 00:23:06 +02:00
parent d0c7ff9f3b
commit cfd8231849
2 changed files with 16 additions and 0 deletions

View File

@@ -1503,6 +1503,9 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
audit_list_command = token_prompt_command("bao audit list")
secrets_list_command = token_prompt_command("bao secrets list")
auth_list_command = token_prompt_command("bao auth list")
platform_admin_token_command = token_prompt_command(
"bao token create -policy=platform-admin -period=24h -orphan"
)
rotate_init_command = interactive_token_command(
"bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
)
@@ -1592,6 +1595,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
auth_list_command,
downstream_taint,
),
action(
"Create platform-admin token",
"Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
platform_admin_token_command,
downstream_taint,
),
action(
"Start unseal-key rotation",
"Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",

View File

@@ -296,6 +296,13 @@ rotation flow after the operator successfully started rotate-keys and then hit
run-once step and that the next step is checking status or submitting existing
shares with the nonce until quorum completes.
**2026-05-26:** Added a Usecases action card for creating the temporary
Railiance OpenBao `platform-admin` token with
`bao token create -policy=platform-admin -period=24h -orphan`. The command
prompts for the bootstrap/root token without placing it on the command line
and reminds the operator to store the emitted token through the approved secret
path.
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
custodian age-key bootstrap model to the control surface. The UI now records
the custodian public age recipient, a derived fingerprint, and a non-secret