How do we make sure that Operator of vault server cannot use admin's clients account (entity) to do something bad?

natthawat3151 · June 9, 2024, 6:47am

I’m a internship. Right now I’ve been assign to implement the SSH Cert. using Vault from hashicrop but in the authenticate part between clients (admin) and vault server that operated by vault server operator how can we make sure that the operator not going to use the admin entity to do something bad with the server because from my understanding the vault server operator have to be the one that create the user account right? and manage all policy of each client.

ps. if i misunderstands in some point please help me clarify that concept please thank you!

Joffrey · June 10, 2024, 1:55pm

I, actually in my compagny “Admin role” is a role with a policy to change policy. All Vault configuration is IaC with terraform. All terraform code is in Gitlab and can be reviewed by the secure team. All Vault command are logged in Splunk with dashboard for the security team.
Of there, there is no root token.

Topic		Replies	Views
Vault administrator user Vault	6	143	January 28, 2025
[BLOG] Managing HashiCorp Consul Access Control Lists with Terraform & Vault Consul	2	935	December 30, 2021
Best practices for "admin" policy? Vault	3	1384	October 2, 2020
Vault policy for terraform plan Vault	8	1824	April 1, 2022
Vault Configuration: Specialized Roles for Administrators Vault vault	12	349	September 6, 2023

How do we make sure that Operator of vault server cannot use admin's clients account (entity) to do something bad?

Related topics