Default IAM Configuration
Learn about the default IAM configuration
Vault comes with a default IAM configuration. This default configuration defines a list of roles with access control capabilities and policies suitable for most use cases. These roles can be used as the basis for creating your configuration, for example, by copying and amending roles to match the needs of your use cases.
- Admin - A special built-in user typically used by the DevOps team or system admin to control the Vault instance. This user has access to all APIs but, by default, is blocked from accessing data in production. You can control this user's access to data using the
PVAULT_SERVICE_ADMIN_MAY_READ_DATA
environment variable. Also, you define the user's API key using thePVAULT_SERVICE_ADMIN_API_KEY
environment variable.noteIf you're using the hosted version of Vault, contact us if you wish to enable admin access to data or change the admin API key.
- Security admin - a user that controls the list of users, roles and policies of who can access Vault. For example, lead developers who operate the vault.
- Developer - developers who write applications that use the vault.
- Vault scheduler - a scheduler service that triggers key rotation and cleanup of archived objects. (Coming soon 🎁 This activity will be performed automatically by Vault according to defined schedules.)
- CI/CD - the pipeline that deploys applications that use the vault. When employed in GitOps and IAC, the pipeline typically configures collections and IAM.
- External application - a public service, for example, a public web server accessible by end users. This service may collect sensitive information, for example, during registration or sign-up, but should have limited read access to avoid exposing sensitive information.
- Internal application - an application used by trusted persons, for example, support or administration, to manage and administrate users.
- Privileged service - internal high-privileged services. For example, an identity service that manages all end users.
- Token consumer service - a service that requires access to minimal amounts of sensitive data, typically by detokenizing it. For example, a mailing service that needs to detokenize the target email and first and last names.
Access Control - Capabilities
This table shows how the default configuration assigns capabilities to users.
Capability | Purpose | Sec. admin | Devs | Vault scheduler | CI/CD | Ext. app | Int. app | Priv. service | Token consumer |
---|---|---|---|---|---|---|---|---|---|
CapIAMReader | Read the list of users | V | V | V | |||||
CapIAMWriter | Set users and API keys | V | V | ||||||
CapKMSReader | Get the status of the KMS | V | V | V | V | ||||
CapKMSWriter | Rotate keys | V | V | V | |||||
CapConfvarReader | Read log level | V | V | V | |||||
CapConfvarWriter | Write log level | V | V | ||||||
CapErrorWriter | Trigger an artificial error for testing purposes | V | V | ||||||
CapClusterInfoReader | Get cluster information, including cache propagation | V | V | V | |||||
CapInfoReader | Get system information | V | V | V | |||||
CapSystemGCRunner | Delete archived objects and tokens | V | V | ||||||
CapCollectionsReader | Read collection definitions | V | V | ||||||
CapCollectionsWriter | Write collection definitions | V | V | ||||||
CapCodeReader | Read bundles | V | V | ||||||
CapCodeWriter | Write (add, update and delete) bundles | V | |||||||
CapTypesReader | Read data types | V | V | ||||||
CapTypesWriter | Write (and and delete) data types | V | |||||||
CapDataReader | Read data | V | V | V | |||||
CapDataWriter | Write data | V | V | V | |||||
CapDataSearcher | Search data | V | V | V | |||||
CapTokensReader | Read token metadata | V | |||||||
CapTokensWriter | Tokenize and write token metadata | V | |||||||
CapTokensDetokenizer | Detokenize | V | V |
Policies
Policies provide applications and services with access to data.
The default IAM configuration includes a list of policies that define operations and the sensitivity of the data type they can access. These policies simplify the definition of policies for each role. The name of each policy is derived using this template: Pol[Allow|Deny][Read|WriteDelete|Search|Tokenize|Detokeniz|All][Meta|Low|Med|High|PCI|All]
. For example, the PolAllowReadLow
policy allows read access to low-sensitivity data types, while the PolDenyAllHigh
policy denies all operations on high-sensitivity data types.
Data sensitivities are defined based on data type as follows:
- Low –
gender
,email.mask
, andphone_number.mask
- Medium –
date_of_birth
,zip_code_us
,us_bank_routing
,ssn.mask
,ban.mask
, andcc_number.mask
- High –
email
,ssn
,phone_number
,name
,address
,us_bank_account_number
,ban
,cc_holder_name
, andcc_expiration_string
- PCI –
cc_number
andcc_cvv
- Meta (all built-in properties) –
_*
Note: standard data types aren't covered by any of these policies, as the sensitivity depends on the specific use.
Using these policies, each application and service is assigned policies that match its use case.
[roles]
# Humans
[roles.SecurityAdmin]
capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
"CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
"CapInfoReader", "CapSystemGCRunner"]
policies = ["PolDenyAllAll"]
[roles.Developer]
capabilities = ["CapIAMReader", "CapKMSWriter", "CapConfvarReader", "CapClusterInfoReader",
"CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapCodeReader", "CapTypesReader"]
policies = ["PolDenyAllAll"]
# Management entities
[roles.VaultScheduler]
capabilities = ["CapKMSReader", "CapKMSWriter", "CapSystemGCRunner"]
policies = ["PolDenyAllAll"]
[roles.CICD]
capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
"CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
"CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapCodeReader", "CapTypesReader"]
policies = ["PolDenyAllAll"]
## Services and applications
[roles.ExternalApplication]
capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]
[roles.InternalApplication]
capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowReadHigh", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]
[roles.PrivilegedService]
capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher", "CapTokensReader",
"CapTokensWriter", "CapTokensDetokenizer"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowAllHigh"]
[roles.TokensConsumer]
capabilities = ["CapTokensDetokenizer"]
policies = ["PolAllowDetokenizeAll", "PolDenyDetokenizePci"]
[users]
[users.SecurityAdmin]
role = "SecurityAdmin"
[users.Developer]
role = "Developer"
[users.VaultScheduler]
role = "VaultScheduler"
[users.CICD]
role = "CICD"
[users.Webapp]
role = "ExternalApplication"
[users.SupportApp]
role = "InternalApplication"
[users.IdentityService]
role = "PrivilegedService"
[users.TokensConsumer]
role = "TokensConsumer"