This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ops-warden/wiki/playbooks/ops-warden-warden-sign-token.md
tegwick 0c1082059b Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08
Document the railiance-platform credential broker as the owner-native path
for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates
so warden route find ranks the broker lane first; manual export remains a
documented fallback only.
2026-07-01 23:16:38 +02:00

4.2 KiB

ops-warden warden-sign OpenBao token

Date: 2026-07-01 Catalog: ops-warden-warden-sign-token (status active) Owner: railiance-platform (credential broker / OpenBao) · grant ops-warden/warden-sign Workplan: RAILIANCE-WP-0005 T08 · live-verified 2026-07-01

A short-lived OpenBao child token with only the warden-sign policy — enough for production warden sign and the flex-auth policy-gate smoke. ops-warden does not mint, store, or vend this token; it issues SSH certificates only. Token issuance belongs to the railiance-platform credential broker.


Owner-confirmed lane

Field Value
Grant id ops-warden/warden-sign
OpenBao token role warden-sign
Issuer policy credential-broker-warden-sign-issuer
Workload policy warden-sign (SSH sign paths only)
Default TTL 15 minutes (max 1 hour)
Preferred delivery exec-env — inject into one child process, then revoke
Grant catalog railiance-platform/credential-grants/catalog.yaml
Owner docs railiance-platform/docs/credential-broker.md

Worker checklist

  1. Route here first — do not paste VAULT_TOKEN into chat, State Hub, Git, or workplans:

    warden route find "VAULT_TOKEN ops-warden warden sign" --json
    warden route show ops-warden-warden-sign-token --json
    
  2. Preferred: one-command exec injection (no manual export VAULT_TOKEN):

    cd ~/railiance-platform
    make credential-exec-ops-warden-smoke
    

    For an arbitrary child command:

    cd ~/railiance-platform
    scripts/credential.py exec \
      --grant ops-warden/warden-sign \
      --purpose ops-warden-production-sign-smoke \
      --ttl 15m -- \
      warden sign <actor> --pubkey <path>
    

    The helper mints a bounded child token, sets VAULT_TOKEN only in the child environment, redacts token-looking output, and revokes the lease when the child exits.

  3. Policy-gate production smoke (FLEX-WP-0007 T4):

    cd ~/railiance-platform
    scripts/credential.py exec \
      --grant ops-warden/warden-sign \
      --purpose ops-warden-production-sign-smoke \
      --ttl 15m -- \
      SMOKE_VAULT=1 ~/ops-warden/scripts/policy_gate_production_smoke.sh
    
  4. Attended handoff or local file (when exec-env is not suitable):

    cd ~/railiance-platform
    scripts/credential.py request \
      --grant ops-warden/warden-sign \
      --purpose flex-auth-openbao-smoke \
      --ttl 15m
    # default: mode-0600 file under .local/credential-leases/ + non-secret accessor metadata
    scripts/credential.py status <lease-accessor>
    scripts/credential.py revoke <lease-accessor>
    
  5. Manual shell export (fallback only) — when the broker is unavailable and an operator already holds a scoped token out-of-band:

    export VAULT_TOKEN="<scoped-warden-sign-token>"   # current shell only
    warden sign <actor> --pubkey <path>
    

    See wiki/playbooks/operator-openbao-token-hygiene.md for hygiene rules. Do not add literals to ~/.bashrc.

  6. ops-warden role boundarywarden access does not proxy this lane. The owner-native front door is railiance-platform/scripts/credential.py (or the Make wrappers). ops-warden routes and documents; it never holds the token value.


Troubleshooting

Symptom Likely cause Action
OpenBao sealed Cluster restarted Operator unseal (2/3 shares) — railiance-platform/docs/openbao.md
403 on grant apply Pod token helper lacks ACL write Use OPENBAO_TOKEN_FILE + platform-admin for one-time apply, not --use-token-helper
Vault token not found in child Broker did not inject env Use credential exec, not bare warden sign
HTTP 403 during sign Expired child token Re-run credential exec with a fresh TTL
Broker mint denied Issuer policy/role missing make openbao-configure-token-grants in railiance-platform

See also

  • wiki/playbooks/operator-openbao-token-hygiene.md — fallback manual token hygiene
  • wiki/PolicyGatedSigning.md — flex-auth policy gate and smoke
  • wiki/CredentialRouting.md — generic OpenBao routing (openbao-api-key)
  • railiance-platform/docs/credential-broker.md — broker ownership and threat model