Nework Architecture


I am looking recommended network architecture for vault deployment along with network restriction for dev teams but couldn’t find the same in vault documentation.

Question is whether we shall restrict vault access only from production environment from security perspective. If yes, following are the questions:

  1. If we do so, what’s the recommended approach for administrator to write credentials in the vault. Shall they do SSH to vault and update the credentials

  2. We have a use case of third party credentials storage in vault where there are owner of multiple development team who shall have write access to vault. Ideally, we shall not provide administrator access to vault to them. Then, how shall they write credentials in vault. If we provide vault web UI, then we cannot restrict vault access to production environment

Also, would like to understand whether vault token shall be provided to developers or vault token shall be defined in Jenkins in CI/CD pipepline