generated from coulomb/repo-seed
Add OpenBao admin token action
This commit is contained in:
@@ -1503,6 +1503,9 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
|
||||
audit_list_command = token_prompt_command("bao audit list")
|
||||
secrets_list_command = token_prompt_command("bao secrets list")
|
||||
auth_list_command = token_prompt_command("bao auth list")
|
||||
platform_admin_token_command = token_prompt_command(
|
||||
"bao token create -policy=platform-admin -period=24h -orphan"
|
||||
)
|
||||
rotate_init_command = interactive_token_command(
|
||||
"bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
|
||||
)
|
||||
@@ -1592,6 +1595,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
|
||||
auth_list_command,
|
||||
downstream_taint,
|
||||
),
|
||||
action(
|
||||
"Create platform-admin token",
|
||||
"Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
|
||||
platform_admin_token_command,
|
||||
downstream_taint,
|
||||
),
|
||||
action(
|
||||
"Start unseal-key rotation",
|
||||
"Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",
|
||||
|
||||
@@ -296,6 +296,13 @@ rotation flow after the operator successfully started rotate-keys and then hit
|
||||
run-once step and that the next step is checking status or submitting existing
|
||||
shares with the nonce until quorum completes.
|
||||
|
||||
**2026-05-26:** Added a Usecases action card for creating the temporary
|
||||
Railiance OpenBao `platform-admin` token with
|
||||
`bao token create -policy=platform-admin -period=24h -orphan`. The command
|
||||
prompts for the bootstrap/root token without placing it on the command line
|
||||
and reminds the operator to store the emitted token through the approved secret
|
||||
path.
|
||||
|
||||
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
|
||||
custodian age-key bootstrap model to the control surface. The UI now records
|
||||
the custodian public age recipient, a derived fingerprint, and a non-secret
|
||||
|
||||
Reference in New Issue
Block a user