generated from coulomb/repo-seed
Add OpenBao admin token action
This commit is contained in:
@@ -1503,6 +1503,9 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
|
|||||||
audit_list_command = token_prompt_command("bao audit list")
|
audit_list_command = token_prompt_command("bao audit list")
|
||||||
secrets_list_command = token_prompt_command("bao secrets list")
|
secrets_list_command = token_prompt_command("bao secrets list")
|
||||||
auth_list_command = token_prompt_command("bao auth list")
|
auth_list_command = token_prompt_command("bao auth list")
|
||||||
|
platform_admin_token_command = token_prompt_command(
|
||||||
|
"bao token create -policy=platform-admin -period=24h -orphan"
|
||||||
|
)
|
||||||
rotate_init_command = interactive_token_command(
|
rotate_init_command = interactive_token_command(
|
||||||
"bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
|
"bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
|
||||||
)
|
)
|
||||||
@@ -1592,6 +1595,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
|
|||||||
auth_list_command,
|
auth_list_command,
|
||||||
downstream_taint,
|
downstream_taint,
|
||||||
),
|
),
|
||||||
|
action(
|
||||||
|
"Create platform-admin token",
|
||||||
|
"Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
|
||||||
|
platform_admin_token_command,
|
||||||
|
downstream_taint,
|
||||||
|
),
|
||||||
action(
|
action(
|
||||||
"Start unseal-key rotation",
|
"Start unseal-key rotation",
|
||||||
"Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",
|
"Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",
|
||||||
|
|||||||
@@ -296,6 +296,13 @@ rotation flow after the operator successfully started rotate-keys and then hit
|
|||||||
run-once step and that the next step is checking status or submitting existing
|
run-once step and that the next step is checking status or submitting existing
|
||||||
shares with the nonce until quorum completes.
|
shares with the nonce until quorum completes.
|
||||||
|
|
||||||
|
**2026-05-26:** Added a Usecases action card for creating the temporary
|
||||||
|
Railiance OpenBao `platform-admin` token with
|
||||||
|
`bao token create -policy=platform-admin -period=24h -orphan`. The command
|
||||||
|
prompts for the bootstrap/root token without placing it on the command line
|
||||||
|
and reminds the operator to store the emitted token through the approved secret
|
||||||
|
path.
|
||||||
|
|
||||||
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
|
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
|
||||||
custodian age-key bootstrap model to the control surface. The UI now records
|
custodian age-key bootstrap model to the control surface. The UI now records
|
||||||
the custodian public age recipient, a derived fingerprint, and a non-secret
|
the custodian public age recipient, a derived fingerprint, and a non-secret
|
||||||
|
|||||||
Reference in New Issue
Block a user