Document the railiance-platform credential broker as the owner-native path for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates so warden route find ranks the broker lane first; manual export remains a documented fallback only.
3.7 KiB
Operator OpenBao Token Hygiene
Date: 2026-06-24
Workplan: WARDEN-WP-0013 T4
Production warden sign against OpenBao needs a scoped warden-sign token in
VAULT_TOKEN — not the cluster root token. Prefer the credential broker so you
never paste or export the raw token manually.
Preferred path (credential broker)
Use the railiance-platform broker to mint a short-lived child token and inject it only into the command that needs it:
cd ~/railiance-platform
make credential-exec-ops-warden-smoke # policy-gate smoke, no manual VAULT_TOKEN
# Or for a single sign:
scripts/credential.py exec \
--grant ops-warden/warden-sign \
--purpose ops-warden-production-sign-smoke \
--ttl 15m -- \
warden sign <actor> --pubkey <path>
Routing: warden route show ops-warden-warden-sign-token --json · playbook:
wiki/playbooks/ops-warden-warden-sign-token.md.
ops-warden does not mint OpenBao tokens — the broker in railiance-platform does.
Rules
| Rule | Rationale |
|---|---|
Never commit VAULT_TOKEN |
Tokens are secrets |
| Never paste tokens in chat, State Hub, or workplans | Same |
Do not use root token for daily warden sign |
Break-glass only |
| Prefer short-lived tokens | Limit blast radius |
| Refresh on HTTP 403 | Token expired or policy mismatch |
Scoped token for warden
Production signing needs permission to call the SSH engine sign endpoint for the
roles mapped in warden.yaml (adm-role, agt-role, atm-role).
Illustrative policy shape (create in OpenBao policy admin — adjust names to match your cluster):
# warden-sign — least privilege for ops-warden CLI
path "ssh/sign/agt-role" {
capabilities = ["create", "update"]
}
path "ssh/sign/adm-role" {
capabilities = ["create", "update"]
}
path "ssh/sign/atm-role" {
capabilities = ["create", "update"]
}
Issue a token bound to warden-sign (operator procedure in railiance-platform /
OpenBao admin runbooks).
Session pattern (manual fallback)
Use only when the broker is unavailable and you already hold a scoped token out-of-band:
# Set for current shell only — do not add to ~/.bashrc with a literal token
export VAULT_TOKEN="<scoped-token>"
warden status agt-state-hub-bridge
warden sign agt-state-hub-bridge --pubkey ~/.ssh/agt-state-hub-bridge_ed25519.pub
warden reads the env var named in vault.token_env (default VAULT_TOKEN).
OIDC / interactive login
For human operators, prefer platform OIDC login that yields a short-lived OpenBao token instead of copying long-lived secrets.
| Need | Route to |
|---|---|
| Interactive login, OIDC, MFA | key-cape / Keycloak — warden route show key-cape-oidc-login |
ops-warden does not implement login; it documents the route only.
Troubleshooting
| Symptom | Likely cause | Action |
|---|---|---|
Vault token not found |
VAULT_TOKEN unset |
Export scoped token |
HTTP 403 / permission denied |
Expired token or insufficient policy | Re-issue warden-sign token |
Signing failed + connection error |
Wrong vault.addr or network |
Check warden.yaml, tunnel/VPN |
Suggest --backend local |
OpenBao unreachable | Fix connectivity; local is lab-only |
After fixing token issues, re-run:
warden sign <actor> --pubkey <path>
Root token (break-glass only)
Cluster root tokens bypass all policy. Use only for one-time engine setup
(wiki/OpenBaoSshEngineChecklist.md § One-time SSH engine setup), then revoke
from daily shell profile.
See also
wiki/playbooks/ops-warden-warden-sign-token.md— preferred broker pathwiki/OpenBaoSshEngineChecklist.mdwiki/OpsWardenConfig.md— Authentication sectionexamples/warden.production.example.yaml