From a3ef78701e51f9d3f656623bb5cecc0ec4788e74 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 9 Apr 2022 20:46:48 +0100 Subject: [PATCH] web/lukegbcom: add a diagram to illustrate the token hierarchy --- .../posts/2022-04-07-vault-and-me.md | 31 +++++++++++++++++++ .../token-hierarchy.svg | 1 + 2 files changed, 32 insertions(+) create mode 100644 web/lukegbcom/public/assets/posts/2022-04-07-vault-and-me/token-hierarchy.svg diff --git a/web/lukegbcom/posts/2022-04-07-vault-and-me.md b/web/lukegbcom/posts/2022-04-07-vault-and-me.md index 8198c3df20..035bd04784 100644 --- a/web/lukegbcom/posts/2022-04-07-vault-and-me.md +++ b/web/lukegbcom/posts/2022-04-07-vault-and-me.md @@ -140,6 +140,37 @@ to `kv/server/$HOSTNAME`, and to issue ACME certificates, and the Nix binary cache credentials. They also have the power to issue subtokens with lesser-power than themselves. +### ...how about as a diagram? + +The description of the above might be a little confusing in terms of the Vault +policy hierarchy, so here's an example: + +![Diagram illustrating token hierarchy](token-hierarchy.svg) + +1. Vault issues the Vault Agent on `clouvider-lon01` a token. This token + includes the Vault policies `default`, `server`, `server-user`, + `server/clouvider-lon01`, `server/clouvider-lon01/app/gitlab-runner`, and + `app/deployer`. The app policies (`server/clouvider-lon01/app/gitlab-runner` + and `app/deployer`) are attached because the server configuration in the + repository states that those two applications are intended to be deployed on + that server. +2. `secretsmgr` on `clouvider-lon01` uses the token held by the Vault Agent + directly to refresh any TLS or SSH certificates needed by the server. +3. `tokend` on `clouvider-lon01` has no token of its own, but uses the one held + by the Vault Agent to issue app- or user-specific sub-tokens, with a subset + of the policies attached to the initial token. +4. `gitlab-runner` on `clouvider-lon01` talks to `tokend`, which issues it a + subtoken with **just** the `default` and + `server/clouvider-lon01/app/gitlab-runner` policies. +5. `deployer` on `clouvider-lon01` also talks to `tokend`, but it gets a + different subtoken which instead has the `default` and `app/deployer` + policies. +6. My own personal user account, `lukegb`, can also talk to `tokend` to get a + subtoken with the `default` and `server-user` policies. This token is very + limited compared to a standard `user`-policy token, which needs to be issued + by using the Vault API directly to authenticate as a user based on some + OpenID Connect credentials. + ## Vault App ID credentials I use the "App ID" mode in Vault to provision secrets to servers; when setting diff --git a/web/lukegbcom/public/assets/posts/2022-04-07-vault-and-me/token-hierarchy.svg b/web/lukegbcom/public/assets/posts/2022-04-07-vault-and-me/token-hierarchy.svg new file mode 100644 index 0000000000..8389c2f65b --- /dev/null +++ b/web/lukegbcom/public/assets/posts/2022-04-07-vault-and-me/token-hierarchy.svg @@ -0,0 +1 @@ + \ No newline at end of file