Files
ops-warden/wiki/playbooks/operator-openbao-token-hygiene.md
tegwick 0c1082059b Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08
Document the railiance-platform credential broker as the owner-native path
for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates
so warden route find ranks the broker lane first; manual export remains a
documented fallback only.
2026-07-01 23:16:38 +02:00

134 lines
3.7 KiB
Markdown

# Operator OpenBao Token Hygiene
Date: 2026-06-24
Workplan: WARDEN-WP-0013 T4
Production `warden sign` against OpenBao needs a **scoped** `warden-sign` token in
`VAULT_TOKEN` — not the cluster root token. Prefer the credential broker so you
never paste or export the raw token manually.
---
## Preferred path (credential broker)
Use the railiance-platform broker to mint a short-lived child token and inject it
only into the command that needs it:
```bash
cd ~/railiance-platform
make credential-exec-ops-warden-smoke # policy-gate smoke, no manual VAULT_TOKEN
# Or for a single sign:
scripts/credential.py exec \
--grant ops-warden/warden-sign \
--purpose ops-warden-production-sign-smoke \
--ttl 15m -- \
warden sign <actor> --pubkey <path>
```
Routing: `warden route show ops-warden-warden-sign-token --json` · playbook:
`wiki/playbooks/ops-warden-warden-sign-token.md`.
ops-warden does not mint OpenBao tokens — the broker in `railiance-platform` does.
---
## Rules
| Rule | Rationale |
| --- | --- |
| Never commit `VAULT_TOKEN` | Tokens are secrets |
| Never paste tokens in chat, State Hub, or workplans | Same |
| Do not use root token for daily `warden sign` | Break-glass only |
| Prefer short-lived tokens | Limit blast radius |
| Refresh on HTTP 403 | Token expired or policy mismatch |
---
## Scoped token for warden
Production signing needs permission to call the SSH engine sign endpoint for the
roles mapped in `warden.yaml` (`adm-role`, `agt-role`, `atm-role`).
Illustrative policy shape (create in OpenBao policy admin — adjust names to match
your cluster):
```hcl
# warden-sign — least privilege for ops-warden CLI
path "ssh/sign/agt-role" {
capabilities = ["create", "update"]
}
path "ssh/sign/adm-role" {
capabilities = ["create", "update"]
}
path "ssh/sign/atm-role" {
capabilities = ["create", "update"]
}
```
Issue a token bound to `warden-sign` (operator procedure in `railiance-platform` /
OpenBao admin runbooks).
---
## Session pattern (manual fallback)
Use only when the broker is unavailable and you already hold a scoped token
out-of-band:
```bash
# Set for current shell only — do not add to ~/.bashrc with a literal token
export VAULT_TOKEN="<scoped-token>"
warden status agt-state-hub-bridge
warden sign agt-state-hub-bridge --pubkey ~/.ssh/agt-state-hub-bridge_ed25519.pub
```
`warden` reads the env var named in `vault.token_env` (default `VAULT_TOKEN`).
---
## OIDC / interactive login
For human operators, prefer platform OIDC login that yields a short-lived OpenBao
token instead of copying long-lived secrets.
| Need | Route to |
| --- | --- |
| Interactive login, OIDC, MFA | key-cape / Keycloak — `warden route show key-cape-oidc-login` |
ops-warden does not implement login; it documents the route only.
---
## Troubleshooting
| Symptom | Likely cause | Action |
| --- | --- | --- |
| `Vault token not found` | `VAULT_TOKEN` unset | Export scoped token |
| `HTTP 403` / `permission denied` | Expired token or insufficient policy | Re-issue `warden-sign` token |
| `Signing failed` + connection error | Wrong `vault.addr` or network | Check `warden.yaml`, tunnel/VPN |
| Suggest `--backend local` | OpenBao unreachable | Fix connectivity; local is lab-only |
After fixing token issues, re-run:
```bash
warden sign <actor> --pubkey <path>
```
---
## Root token (break-glass only)
Cluster root tokens bypass all policy. Use only for one-time engine setup
(`wiki/OpenBaoSshEngineChecklist.md` § One-time SSH engine setup), then revoke
from daily shell profile.
---
## See also
- `wiki/playbooks/ops-warden-warden-sign-token.md` — preferred broker path
- `wiki/OpenBaoSshEngineChecklist.md`
- `wiki/OpsWardenConfig.md` — Authentication section
- `examples/warden.production.example.yaml`