Credential Stores

A credential store is a resource that can retrieve, store, and potentially generate credentials of differing types and differing access levels. It belongs to a project and supports the principle of least privilege by providing mechanisms to limit the credentials it can access to the minimum necessary for the project it is in. A credential store can also contain credential libraries.

Attributes

A credential store has the following configurable attributes:

  • name - (optional) If set, the name must be unique within the credential store’s project.

  • description - (optional)

Vault Credential Store Attributes

A Vault credential store has the following additional attributes:

  • address - (required) The address of the Vault server. This should be a complete URL such as https://127.0.0.1:8200.

  • token - (required) A token used for accessing Vault. This token must meet the Vault token requirements described below. Each Vault credential store must be configured with a unique Vault token.

  • ca_cert - (optional) A PEM-encoded CA certificate to verify the Vault server’s TLS certificate.

  • tls_server_name - (optional) Name to use as the SNI host when connecting to Vault via TLS.

  • tls_skip_verify - (optional) Disable verification of TLS certificates. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server.

  • client_certificate - (optional) A PEM-encoded client certificate to use for TLS authentication to the Vault server.

  • client_certificate_key - (optional) A PEM-encoded private key matching the client certificate from client_certificate.

  • namespace - (optional) A Vault namespace. Requires Vault Enterprise.

Referenced By

Service API Docs

The following services are relevant to this resource:

Vault Token Requirements

Each Vault credential store must be configured with a unique Vault token. The Vault tokens for all credential stores must be periodic, renewable, and an orphan. All tokens must also have the capabilities of the Vault Boundary Controller Policy described below.

Vault Policies

The credential store’s token must have the capabilities to issue credentials for each of it’s credential libraries plus the capabilities of the Vault Boundary Controller Policy described below.

We recommend creating a unique Vault policy for each Vault credential store that grants the minimum set of permissions needed by the credential store’s libraries. We also recommend the Vault Boundary Controller Policy be kept distinct from any other Vault policies. This allows each credential store to have a token that is configured with two polices: one shared by all credential stores and one unique to that credential store. This also allows a credential store to be created with the minimum permissions necessary at any point in time. The policy unique to a credential store can then be updated as needed when credential libraries are added and removed from the credential store.

Vault Boundary Controller Policy

The token Boundary receives must have the capabilities listed below. An explanation for the use of each capability is given.

  1. # Allow Boundary to read and verify the properties of the token. This is
  2. # provided by the "default" policy.
  3. path "auth/token/lookup-self" {
  4.   capabilities = ["read"]
  5. }
  7. # Allow Boundary to renew the token. This is provided by the "default"
  8. # policy.
  9. path "auth/token/renew-self" {
  10.   capabilities = ["update"]
  11. }
  13. # Allow Boundary to revoke the token when the credential store is updated
  14. # to use a new token or the credential store is deleted. This is provided
  15. # by the "default" policy.
  16. path "auth/token/revoke-self" {
  17.   capabilities = ["update"]
  18. }
  20. # Allow Boundary to renew the credentials in active sessions. This is
  21. # provided by the "default" policy.
  22. path "sys/leases/renew" {
  23.   capabilities = ["update"]
  24. }
  26. # Allow Boundary to revoke the credentials issued for a session when the
  27. # session is terminated.
  28. path "sys/leases/revoke" {
  29.   capabilities = ["update"]
  30. }
  32. # Allow Boundary to read and verify the token's capabilities for each Vault
  33. # path used by the credential store. This is provided by the "default"
  34. # policy.
  35. path "sys/capabilities-self" {
  36.   capabilities = ["update"]
  37. }
  1. # Allow Boundary to read and verify the properties of the token. This is# provided by the "default" policy.path "auth/token/lookup-self" {  capabilities = ["read"]}
  2. # Allow Boundary to renew the token. This is provided by the "default"# policy.path "auth/token/renew-self" {  capabilities = ["update"]}
  3. # Allow Boundary to revoke the token when the credential store is updated# to use a new token or the credential store is deleted. This is provided# by the "default" policy.path "auth/token/revoke-self" {  capabilities = ["update"]}
  4. # Allow Boundary to renew the credentials in active sessions. This is# provided by the "default" policy.path "sys/leases/renew" {  capabilities = ["update"]}
  5. # Allow Boundary to revoke the credentials issued for a session when the# session is terminated.path "sys/leases/revoke" {  capabilities = ["update"]}
  6. # Allow Boundary to read and verify the token's capabilities for each Vault# path used by the credential store. This is provided by the "default"# policy.path "sys/capabilities-self" {  capabilities = ["update"]}

The above boundary-controller policy is available for download. Below is an example of writing this policy to Vault:

  1. # Download the policy
  2. $ curl https://boundaryproject.io/data/vault/boundary-controller-policy.hcl -O -s -L
  4. # Write the policy to Vault
  5. $ vault policy write boundary-controller boundary-controller-policy.hcl
  1. # Download the policy$ curl https://boundaryproject.io/data/vault/boundary-controller-policy.hcl -O -s -L
  2. # Write the policy to Vault$ vault policy write boundary-controller boundary-controller-policy.hcl