Step-down without root Token


i am using ansible-playbooks to install debian updates on my hashicorp vault hosts.

But before i can reboot the server, i must ensure, that the current hashicorp vault server is not the master server.
If the current server is the master server, i run a “vault operator step-down” manually, before reboot the host.

It is possible, to make a automated step-down without store the root-token in the ansible playbook?



Yes, it is possible. You can create a policy that has access only to this endpoint, something similar to this :

vault policy write step_down_policy - << EOF 
path "/sys/step-down" {
  capabilities = ["update","sudo"]

and then create a token with only that policy attached to it with:

vault token create -policy=step_down_policy

The returned token is only good for executing the step-down operation. You should also take into account that the issued token has TTL.


1 Like