Default IAM Configuration

Learn about the default IAM configuration

Vault comes with a default IAM configuration. This default configuration defines a list of roles with access control capabilities and policies suitable for most use cases. These roles can be used as the basis for creating your configuration, for example, by copying and amending roles to match the needs of your use cases.

1. Admin - A special built-in user typically used by the DevOps team or system admin to control the Vault instance. This user has access to all APIs but, by default, is blocked from accessing data in production. You can control this user's access to data using the PVAULT_SERVICE_ADMIN_MAY_READ_DATA environment variable. Also, you define the user's API key using the PVAULT_SERVICE_ADMIN_API_KEY environment variable.
   note

   If you're using the hosted version of Vault, contact us if you wish to enable admin access to data or change the admin API key.

2. Security admin - a user that controls the list of users, roles and policies of who can access Vault. For example, lead developers who operate the vault.
3. Developer - developers who write applications that use the vault.
4. Vault scheduler - a scheduler service that triggers key rotation and cleanup of archived objects. (Coming soon 🎁 This activity will be performed automatically by Vault according to defined schedules.)
5. CI/CD - the pipeline that deploys applications that use the vault. When employed in GitOps and IAC, the pipeline typically configures collections and IAM.
6. External application - a public service, for example, a public web server accessible by end users. This service may collect sensitive information, for example, during registration or sign-up, but should have limited read access to avoid exposing sensitive information.
7. Internal application - an application used by trusted persons, for example, support or administration, to manage and administrate users.
8. Privileged service - internal high-privileged services. For example, an identity service that manages all end users.
9. Token consumer service - a service that requires access to minimal amounts of sensitive data, typically by detokenizing it. For example, a mailing service that needs to detokenize the target email and first and last names.

Access Control - Capabilities

This table shows how the default configuration assigns capabilities to users.

Capability	Purpose	Sec. admin	Devs	Vault scheduler	CI/CD	Ext. app	Int. app	Priv. service	Token consumer
CapIAMReader	Read the list of users	V	V		V
CapIAMWriter	Set users and API keys	V			V
CapKMSReader	Get the status of the KMS	V	V	V	V
CapKMSWriter	Rotate keys	V		V	V
CapConfvarReader	Read log level	V	V		V
CapConfvarWriter	Write log level	V			V
CapErrorWriter	Trigger an artificial error for testing purposes	V			V
CapClusterInfoReader	Get cluster information, including cache propagation	V	V		V
CapInfoReader	Get system information	V	V		V
CapSystemGCRunner	Delete archived objects and tokens	V		V
CapCollectionsReader	Read collection definitions		V		V
CapCollectionsWriter	Write collection definitions		V		V
CapCodeReader	Read bundles		V		V
CapCodeWriter	Write (add, update and delete) bundles				V
CapTypesReader	Read data types		V		V
CapTypesWriter	Write (and and delete) data types				V
CapDataReader	Read data					V	V	V
CapDataWriter	Write data					V	V	V
CapDataSearcher	Search data					V	V	V
CapTokensReader	Read token metadata							V
CapTokensWriter	Tokenize and write token metadata							V
CapTokensDetokenizer	Detokenize							V	V

Policies

Policies provide applications and services with access to data.

The default IAM configuration includes a list of policies that define operations and the sensitivity of the data type they can access. These policies simplify the definition of policies for each role. The name of each policy is derived using this template: Pol[Allow|Deny][Read|WriteDelete|Search|Tokenize|Detokeniz|All][Meta|Low|Med|High|PCI|All]. For example, the PolAllowReadLow policy allows read access to low-sensitivity data types, while the PolDenyAllHigh policy denies all operations on high-sensitivity data types.

Data sensitivities are defined based on data type as follows:

• Low – gender, email.mask, and phone_number.mask
• Medium – date_of_birth, zip_code_us, us_bank_routing, ssn.mask, ban.mask, and cc_number.mask
• High – email, ssn, phone_number, name, address, us_bank_account_number, ban, cc_holder_name , and cc_expiration_string
• PCI – cc_number and cc_cvv
• Meta (all built-in properties) – _*

Note: standard data types aren't covered by any of these policies, as the sensitivity depends on the specific use.

Using these policies, each application and service is assigned policies that match its use case.

[roles]
    # Humans
    [roles.SecurityAdmin]
        capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter", 
            "CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader", 
            "CapInfoReader", "CapSystemGCRunner"]
        policies = ["PolDenyAllAll"]

    [roles.Developer]
        capabilities = ["CapIAMReader", "CapKMSWriter", "CapConfvarReader", "CapClusterInfoReader", 
            "CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapCodeReader", "CapTypesReader"]
        policies = ["PolDenyAllAll"]

    # Management entities
    [roles.VaultScheduler]
        capabilities = ["CapKMSReader", "CapKMSWriter", "CapSystemGCRunner"]
        policies = ["PolDenyAllAll"]

    [roles.CICD]
        capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter", 
            "CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader", 
            "CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapCodeReader", "CapTypesReader"]
        policies = ["PolDenyAllAll"]

    ## Services and applications
    [roles.ExternalApplication]
        capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher"]
        policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]

    [roles.InternalApplication]
        capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher"]
        policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowReadHigh", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]

    [roles.PrivilegedService]
        capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher", "CapTokensReader",
            "CapTokensWriter", "CapTokensDetokenizer"]
        policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowAllHigh"]

    [roles.TokensConsumer]
        capabilities = ["CapTokensDetokenizer"]
        policies = ["PolAllowDetokenizeAll", "PolDenyDetokenizePci"]

[users]

    [users.SecurityAdmin]
    role = "SecurityAdmin"

    [users.Developer]
    role = "Developer"

    [users.VaultScheduler]
    role = "VaultScheduler"

    [users.CICD]
    role = "CICD"

    [users.Webapp]
    role = "ExternalApplication"

    [users.SupportApp]
    role = "InternalApplication"

    [users.IdentityService]
    role = "PrivilegedService"

    [users.TokensConsumer]
    role = "TokensConsumer"