segregation of duties with Vault
97 views
Skip to first unread message
2funky
Jun 29, 2018, 10:23:40 AM6/29/18
to Vault
hello,
i am learning vault and i did the general tutorials of vault in AWS..
if we start from the hypothesis that in a typical devOps environment/culture, everybody has got some rights/privileges.
how to ensure segregation of duty for a particular task that should be only done in a controlled environment?
Is it possible to have a Vault that engineers access using AD auth mechanism to do their day to day activity and, in addition,
another Vault that use instead Shamir unseal key procedure to gain some privileges that should be executed only once or in special condition?
my aim is to have a quorum of 2,3 devOps in order to get some specific privileges in AWS
can you point me to some example how to do that?
thanks in advance for your help.
Brian Kassouf
Jun 29, 2018, 12:42:31 PM6/29/18
to vault...@googlegroups.com
Hello,
This can already be done in our enterprise offering via the control
group feature. https://www.vaultproject.io/docs/enterprise/control-groups/index.html
Additionally if policies are managed very carefully you could,
organizationally, require a root token for such actions. Root tokens
are generated by the unseal keys. Of course as always we recommend
having multiple eyes on a root token and revoking it once it's done
being used.
Alternatively if it truly is a different vault instance for just this
one action you could keep it sealed all the time until this special
action is needed.
Best,
Brian
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d0e67172-9f6c-4a3f-a1bb-b2e5ce282d39%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
This can already be done in our enterprise offering via the control
group feature. https://www.vaultproject.io/docs/enterprise/control-groups/index.html
Additionally if policies are managed very carefully you could,
organizationally, require a root token for such actions. Root tokens
are generated by the unseal keys. Of course as always we recommend
having multiple eyes on a root token and revoking it once it's done
being used.
Alternatively if it truly is a different vault instance for just this
one action you could keep it sealed all the time until this special
action is needed.
Best,
Brian
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d0e67172-9f6c-4a3f-a1bb-b2e5ce282d39%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages