Document the railiance-platform credential broker as the owner-native path for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates so warden route find ranks the broker lane first; manual export remains a documented fallback only.
4.2 KiB
ops-warden warden-sign OpenBao token
Date: 2026-07-01
Catalog: ops-warden-warden-sign-token (status active)
Owner: railiance-platform (credential broker / OpenBao) · grant ops-warden/warden-sign
Workplan: RAILIANCE-WP-0005 T08 · live-verified 2026-07-01
A short-lived OpenBao child token with only the warden-sign policy — enough for
production warden sign and the flex-auth policy-gate smoke. ops-warden does not
mint, store, or vend this token; it issues SSH certificates only. Token issuance
belongs to the railiance-platform credential broker.
Owner-confirmed lane
| Field | Value |
|---|---|
| Grant id | ops-warden/warden-sign |
| OpenBao token role | warden-sign |
| Issuer policy | credential-broker-warden-sign-issuer |
| Workload policy | warden-sign (SSH sign paths only) |
| Default TTL | 15 minutes (max 1 hour) |
| Preferred delivery | exec-env — inject into one child process, then revoke |
| Grant catalog | railiance-platform/credential-grants/catalog.yaml |
| Owner docs | railiance-platform/docs/credential-broker.md |
Worker checklist
-
Route here first — do not paste
VAULT_TOKENinto chat, State Hub, Git, or workplans:warden route find "VAULT_TOKEN ops-warden warden sign" --json warden route show ops-warden-warden-sign-token --json -
Preferred: one-command exec injection (no manual
export VAULT_TOKEN):cd ~/railiance-platform make credential-exec-ops-warden-smokeFor an arbitrary child command:
cd ~/railiance-platform scripts/credential.py exec \ --grant ops-warden/warden-sign \ --purpose ops-warden-production-sign-smoke \ --ttl 15m -- \ warden sign <actor> --pubkey <path>The helper mints a bounded child token, sets
VAULT_TOKENonly in the child environment, redacts token-looking output, and revokes the lease when the child exits. -
Policy-gate production smoke (FLEX-WP-0007 T4):
cd ~/railiance-platform scripts/credential.py exec \ --grant ops-warden/warden-sign \ --purpose ops-warden-production-sign-smoke \ --ttl 15m -- \ SMOKE_VAULT=1 ~/ops-warden/scripts/policy_gate_production_smoke.sh -
Attended handoff or local file (when exec-env is not suitable):
cd ~/railiance-platform scripts/credential.py request \ --grant ops-warden/warden-sign \ --purpose flex-auth-openbao-smoke \ --ttl 15m # default: mode-0600 file under .local/credential-leases/ + non-secret accessor metadata scripts/credential.py status <lease-accessor> scripts/credential.py revoke <lease-accessor> -
Manual shell export (fallback only) — when the broker is unavailable and an operator already holds a scoped token out-of-band:
export VAULT_TOKEN="<scoped-warden-sign-token>" # current shell only warden sign <actor> --pubkey <path>See
wiki/playbooks/operator-openbao-token-hygiene.mdfor hygiene rules. Do not add literals to~/.bashrc. -
ops-warden role boundary —
warden accessdoes not proxy this lane. The owner-native front door israiliance-platform/scripts/credential.py(or the Make wrappers). ops-warden routes and documents; it never holds the token value.
Troubleshooting
| Symptom | Likely cause | Action |
|---|---|---|
| OpenBao sealed | Cluster restarted | Operator unseal (2/3 shares) — railiance-platform/docs/openbao.md |
403 on grant apply |
Pod token helper lacks ACL write | Use OPENBAO_TOKEN_FILE + platform-admin for one-time apply, not --use-token-helper |
Vault token not found in child |
Broker did not inject env | Use credential exec, not bare warden sign |
HTTP 403 during sign |
Expired child token | Re-run credential exec with a fresh TTL |
| Broker mint denied | Issuer policy/role missing | make openbao-configure-token-grants in railiance-platform |
See also
wiki/playbooks/operator-openbao-token-hygiene.md— fallback manual token hygienewiki/PolicyGatedSigning.md— flex-auth policy gate and smokewiki/CredentialRouting.md— generic OpenBao routing (openbao-api-key)railiance-platform/docs/credential-broker.md— broker ownership and threat model