# ops-warden warden-sign OpenBao token Date: 2026-07-01 Catalog: `ops-warden-warden-sign-token` (status `active`) Owner: `railiance-platform` (credential broker / OpenBao) · grant `ops-warden/warden-sign` Workplan: `RAILIANCE-WP-0005` T08 · live-verified 2026-07-01 A short-lived OpenBao child token with only the `warden-sign` policy — enough for production `warden sign` and the flex-auth policy-gate smoke. ops-warden **does not mint, store, or vend this token**; it issues SSH certificates only. Token issuance belongs to the railiance-platform credential broker. --- ## Owner-confirmed lane | Field | Value | | --- | --- | | Grant id | `ops-warden/warden-sign` | | OpenBao token role | `warden-sign` | | Issuer policy | `credential-broker-warden-sign-issuer` | | Workload policy | `warden-sign` (SSH sign paths only) | | Default TTL | 15 minutes (max 1 hour) | | Preferred delivery | `exec-env` — inject into one child process, then revoke | | Grant catalog | `railiance-platform/credential-grants/catalog.yaml` | | Owner docs | `railiance-platform/docs/credential-broker.md` | --- ## Worker checklist 1. **Route here first** — do not paste `VAULT_TOKEN` into chat, State Hub, Git, or workplans: ```bash warden route find "VAULT_TOKEN ops-warden warden sign" --json warden route show ops-warden-warden-sign-token --json ``` 2. **Preferred: one-command exec injection** (no manual `export VAULT_TOKEN`): ```bash cd ~/railiance-platform make credential-exec-ops-warden-smoke ``` For an arbitrary child command: ```bash cd ~/railiance-platform scripts/credential.py exec \ --grant ops-warden/warden-sign \ --purpose ops-warden-production-sign-smoke \ --ttl 15m -- \ warden sign --pubkey ``` The helper mints a bounded child token, sets `VAULT_TOKEN` only in the child environment, redacts token-looking output, and revokes the lease when the child exits. 3. **Policy-gate production smoke** (FLEX-WP-0007 T4): ```bash cd ~/railiance-platform scripts/credential.py exec \ --grant ops-warden/warden-sign \ --purpose ops-warden-production-sign-smoke \ --ttl 15m -- \ SMOKE_VAULT=1 ~/ops-warden/scripts/policy_gate_production_smoke.sh ``` 4. **Attended handoff or local file** (when exec-env is not suitable): ```bash cd ~/railiance-platform scripts/credential.py request \ --grant ops-warden/warden-sign \ --purpose flex-auth-openbao-smoke \ --ttl 15m # default: mode-0600 file under .local/credential-leases/ + non-secret accessor metadata scripts/credential.py status scripts/credential.py revoke ``` 5. **Manual shell export (fallback only)** — when the broker is unavailable and an operator already holds a scoped token out-of-band: ```bash export VAULT_TOKEN="" # current shell only warden sign --pubkey ``` See `wiki/playbooks/operator-openbao-token-hygiene.md` for hygiene rules. Do not add literals to `~/.bashrc`. 6. **ops-warden role boundary** — `warden access` does not proxy this lane. The owner-native front door is `railiance-platform/scripts/credential.py` (or the Make wrappers). ops-warden routes and documents; it never holds the token value. --- ## Troubleshooting | Symptom | Likely cause | Action | | --- | --- | --- | | OpenBao sealed | Cluster restarted | Operator unseal (2/3 shares) — `railiance-platform/docs/openbao.md` | | `403` on grant apply | Pod token helper lacks ACL write | Use `OPENBAO_TOKEN_FILE` + platform-admin for one-time apply, not `--use-token-helper` | | `Vault token not found` in child | Broker did not inject env | Use `credential exec`, not bare `warden sign` | | `HTTP 403` during sign | Expired child token | Re-run `credential exec` with a fresh TTL | | Broker mint denied | Issuer policy/role missing | `make openbao-configure-token-grants` in `railiance-platform` | --- ## See also - `wiki/playbooks/operator-openbao-token-hygiene.md` — fallback manual token hygiene - `wiki/PolicyGatedSigning.md` — flex-auth policy gate and smoke - `wiki/CredentialRouting.md` — generic OpenBao routing (`openbao-api-key`) - `railiance-platform/docs/credential-broker.md` — broker ownership and threat model