generated from coulomb/repo-seed
Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08
Document the railiance-platform credential broker as the owner-native path for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates so warden route find ranks the broker lane first; manual export remains a documented fallback only.
This commit is contained in:
@@ -3,8 +3,33 @@
|
||||
Date: 2026-06-24
|
||||
Workplan: WARDEN-WP-0013 T4
|
||||
|
||||
Daily `warden sign` against production OpenBao requires a **scoped** API token in
|
||||
`VAULT_TOKEN` — not the cluster root token.
|
||||
Production `warden sign` against OpenBao needs a **scoped** `warden-sign` token in
|
||||
`VAULT_TOKEN` — not the cluster root token. Prefer the credential broker so you
|
||||
never paste or export the raw token manually.
|
||||
|
||||
---
|
||||
|
||||
## Preferred path (credential broker)
|
||||
|
||||
Use the railiance-platform broker to mint a short-lived child token and inject it
|
||||
only into the command that needs it:
|
||||
|
||||
```bash
|
||||
cd ~/railiance-platform
|
||||
make credential-exec-ops-warden-smoke # policy-gate smoke, no manual VAULT_TOKEN
|
||||
|
||||
# Or for a single sign:
|
||||
scripts/credential.py exec \
|
||||
--grant ops-warden/warden-sign \
|
||||
--purpose ops-warden-production-sign-smoke \
|
||||
--ttl 15m -- \
|
||||
warden sign <actor> --pubkey <path>
|
||||
```
|
||||
|
||||
Routing: `warden route show ops-warden-warden-sign-token --json` · playbook:
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md`.
|
||||
|
||||
ops-warden does not mint OpenBao tokens — the broker in `railiance-platform` does.
|
||||
|
||||
---
|
||||
|
||||
@@ -46,7 +71,10 @@ OpenBao admin runbooks).
|
||||
|
||||
---
|
||||
|
||||
## Session pattern
|
||||
## Session pattern (manual fallback)
|
||||
|
||||
Use only when the broker is unavailable and you already hold a scoped token
|
||||
out-of-band:
|
||||
|
||||
```bash
|
||||
# Set for current shell only — do not add to ~/.bashrc with a literal token
|
||||
@@ -100,6 +128,7 @@ from daily shell profile.
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/playbooks/ops-warden-warden-sign-token.md` — preferred broker path
|
||||
- `wiki/OpenBaoSshEngineChecklist.md`
|
||||
- `wiki/OpsWardenConfig.md` — Authentication section
|
||||
- `examples/warden.production.example.yaml`
|
||||
109
wiki/playbooks/ops-warden-warden-sign-token.md
Normal file
109
wiki/playbooks/ops-warden-warden-sign-token.md
Normal file
@@ -0,0 +1,109 @@
|
||||
# ops-warden warden-sign OpenBao token
|
||||
|
||||
Date: 2026-07-01
|
||||
Catalog: `ops-warden-warden-sign-token` (status `active`)
|
||||
Owner: `railiance-platform` (credential broker / OpenBao) · grant `ops-warden/warden-sign`
|
||||
Workplan: `RAILIANCE-WP-0005` T08 · live-verified 2026-07-01
|
||||
|
||||
A short-lived OpenBao child token with only the `warden-sign` policy — enough for
|
||||
production `warden sign` and the flex-auth policy-gate smoke. ops-warden **does not
|
||||
mint, store, or vend this token**; it issues SSH certificates only. Token issuance
|
||||
belongs to the railiance-platform credential broker.
|
||||
|
||||
---
|
||||
|
||||
## Owner-confirmed lane
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Grant id | `ops-warden/warden-sign` |
|
||||
| OpenBao token role | `warden-sign` |
|
||||
| Issuer policy | `credential-broker-warden-sign-issuer` |
|
||||
| Workload policy | `warden-sign` (SSH sign paths only) |
|
||||
| Default TTL | 15 minutes (max 1 hour) |
|
||||
| Preferred delivery | `exec-env` — inject into one child process, then revoke |
|
||||
| Grant catalog | `railiance-platform/credential-grants/catalog.yaml` |
|
||||
| Owner docs | `railiance-platform/docs/credential-broker.md` |
|
||||
|
||||
---
|
||||
|
||||
## Worker checklist
|
||||
|
||||
1. **Route here first** — do not paste `VAULT_TOKEN` into chat, State Hub, Git, or workplans:
|
||||
```bash
|
||||
warden route find "VAULT_TOKEN ops-warden warden sign" --json
|
||||
warden route show ops-warden-warden-sign-token --json
|
||||
```
|
||||
|
||||
2. **Preferred: one-command exec injection** (no manual `export VAULT_TOKEN`):
|
||||
```bash
|
||||
cd ~/railiance-platform
|
||||
make credential-exec-ops-warden-smoke
|
||||
```
|
||||
For an arbitrary child command:
|
||||
```bash
|
||||
cd ~/railiance-platform
|
||||
scripts/credential.py exec \
|
||||
--grant ops-warden/warden-sign \
|
||||
--purpose ops-warden-production-sign-smoke \
|
||||
--ttl 15m -- \
|
||||
warden sign <actor> --pubkey <path>
|
||||
```
|
||||
The helper mints a bounded child token, sets `VAULT_TOKEN` only in the child
|
||||
environment, redacts token-looking output, and revokes the lease when the child exits.
|
||||
|
||||
3. **Policy-gate production smoke** (FLEX-WP-0007 T4):
|
||||
```bash
|
||||
cd ~/railiance-platform
|
||||
scripts/credential.py exec \
|
||||
--grant ops-warden/warden-sign \
|
||||
--purpose ops-warden-production-sign-smoke \
|
||||
--ttl 15m -- \
|
||||
SMOKE_VAULT=1 ~/ops-warden/scripts/policy_gate_production_smoke.sh
|
||||
```
|
||||
|
||||
4. **Attended handoff or local file** (when exec-env is not suitable):
|
||||
```bash
|
||||
cd ~/railiance-platform
|
||||
scripts/credential.py request \
|
||||
--grant ops-warden/warden-sign \
|
||||
--purpose flex-auth-openbao-smoke \
|
||||
--ttl 15m
|
||||
# default: mode-0600 file under .local/credential-leases/ + non-secret accessor metadata
|
||||
scripts/credential.py status <lease-accessor>
|
||||
scripts/credential.py revoke <lease-accessor>
|
||||
```
|
||||
|
||||
5. **Manual shell export (fallback only)** — when the broker is unavailable and an
|
||||
operator already holds a scoped token out-of-band:
|
||||
```bash
|
||||
export VAULT_TOKEN="<scoped-warden-sign-token>" # current shell only
|
||||
warden sign <actor> --pubkey <path>
|
||||
```
|
||||
See `wiki/playbooks/operator-openbao-token-hygiene.md` for hygiene rules. Do not
|
||||
add literals to `~/.bashrc`.
|
||||
|
||||
6. **ops-warden role boundary** — `warden access` does not proxy this lane. The
|
||||
owner-native front door is `railiance-platform/scripts/credential.py` (or the
|
||||
Make wrappers). ops-warden routes and documents; it never holds the token value.
|
||||
|
||||
---
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
| Symptom | Likely cause | Action |
|
||||
| --- | --- | --- |
|
||||
| OpenBao sealed | Cluster restarted | Operator unseal (2/3 shares) — `railiance-platform/docs/openbao.md` |
|
||||
| `403` on grant apply | Pod token helper lacks ACL write | Use `OPENBAO_TOKEN_FILE` + platform-admin for one-time apply, not `--use-token-helper` |
|
||||
| `Vault token not found` in child | Broker did not inject env | Use `credential exec`, not bare `warden sign` |
|
||||
| `HTTP 403` during sign | Expired child token | Re-run `credential exec` with a fresh TTL |
|
||||
| Broker mint denied | Issuer policy/role missing | `make openbao-configure-token-grants` in `railiance-platform` |
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/playbooks/operator-openbao-token-hygiene.md` — fallback manual token hygiene
|
||||
- `wiki/PolicyGatedSigning.md` — flex-auth policy gate and smoke
|
||||
- `wiki/CredentialRouting.md` — generic OpenBao routing (`openbao-api-key`)
|
||||
- `railiance-platform/docs/credential-broker.md` — broker ownership and threat model
|
||||
Reference in New Issue
Block a user