I Don’t Want to Live on the Root Token

Vault gives you a root token at initialization.
It’s tempting to just keep using it for everything.

But for a long-term setup I want a clearer model:

  • Root token for bootstrap and emergencies only.
  • A dedicated admin persona for day-to-day Vault management.
  • Service identities for agents, proxies and apps.
  • Human operators with scoped capabilities.

High-Level Roles I’m Planning

Roughly:

  • Root:
  • enable/disable secrets engines,
  • manage top-level policies,
  • do dangerous operations.
  • Admin:
  • manage PKI mounts (pki-test, pki-prod),
  • manage auth methods,
  • manage roles and policies for services.
  • Services:
  • Vault Agents,
  • reverse proxies,
  • applications that need secrets.
  • Human users:
  • maybe via GitHub/OIDC or cert auth,
  • each with limited permissions.

Policies as the Core

Instead of memorizing who can do what, I want:

  • policy files in version control,
  • clear mapping from:
  • user / service → policy names,
  • scripts to apply or diff policies.

This access model should match the Unix user layout and PKI design, so that:

  • a compromise of proxytest doesn’t give full Vault control,
  • an app-only identity can’t touch PKI admin or offline-like operations.