Hi,
i am using ansible-playbooks to install debian updates on my hashicorp vault hosts.
But before i can reboot the server, i must ensure, that the current hashicorp vault server is not the master server.
If the current server is the master server, i run a “vault operator step-down” manually, before reboot the host.
It is possible, to make a automated step-down without store the root-token in the ansible playbook?
Regards,
Thomas
Hello,
Yes, it is possible. You can create a policy that has access only to this endpoint, something similar to this :
vault policy write step_down_policy - << EOF
path "/sys/step-down" {
capabilities = ["update","sudo"]
}
EOF
and then create a token with only that policy attached to it with:
vault token create -policy=step_down_policy
The returned token is only good for executing the step-down operation. You should also take into account that the issued token has TTL.
Martin