Skip to main content

Default IAM Configuration

Learn about the default IAM configuration

Vault comes with a default IAM configuration. This default configuration defines a list of roles with access control capabilities and policies suitable for most use cases. These roles can be used as the basis for creating your configuration, for example, by copying and amending roles to match the needs of your use cases.

  1. Admin - A special built-in user typically used by the DevOps team or system admin to control the Vault instance. This user has access to all APIs but, by default, is blocked from accessing data in production. You can control this user's access to data using the PVAULT_SERVICE_ADMIN_MAY_READ_DATA environment variable. Also, you define the user's API key using the PVAULT_SERVICE_ADMIN_API_KEY environment variable.
  2. Security admin - a user that controls the list of users, roles and policies of who can access Vault. For example, lead developers who operate the vault.
  3. Developer - developers who write applications that use the vault.
  4. Vault scheduler - a scheduler service that triggers key rotation and cleanup of archived objects. (Coming soon 🎁 This activity will be performed automatically by Vault according to defined schedules.)
  5. CI/CD - the pipeline that deploys applications that use the vault. When employed in GitOps and IAC, the pipeline typically configures collections and IAM.
  6. External application - a public service, for example, a public web server accessible by end users. This service may collect sensitive information, for example, during registration or sign-up, but should have limited read access to avoid exposing sensitive information.
  7. Internal application - an application used by trusted persons, for example, support or administration, to manage and administrate users.
  8. Privileged service - internal high-privileged services. For example, an identity service that manages all end users.
  9. Token consumer service - a service that requires access to minimal amounts of sensitive data, typically by detokenizing it. For example, a mailing service that needs to detokenize the target email and first and last names.

Access Control - Capabilities

This table shows how the default configuration assigns capabilities to users.

CapabilityPurposeSec. adminDevsVault schedulerCI/CDExt. appInt. appPriv. serviceToken consumer
CapIAMReaderRead the list of usersVVV
CapIAMWriterSet users and API keysVV
CapKMSReaderGet the status of the KMSVVVV
CapKMSWriterRotate keysVVV
CapConfvarReaderRead log levelVVV
CapConfvarWriterWrite log levelVV
CapErrorWriterTrigger an artificial error for testing purposesVV
CapClusterInfoReaderGet cluster information, including cache propagationVVV
CapInfoReaderGet system informationVVV
CapSystemGCRunnerDelete archived objects and tokensVV
CapCollectionsReaderRead collection definitionsVV
CapCollectionsWriterWrite collection definitionsVV
CapSchemaReaderRead types and transformationsVV
CapDataReaderRead dataVVV
CapDataWriterWrite dataVVV
CapDataSearcherSearch dataVVV
CapTokensReaderRead token metadataV
CapTokensWriterTokenize and write token metadataV
CapTokensDetokenizerDetokenizeVV

Policies

Policies provide applications and services with access to data.

The default IAM configuration includes a list of policies that define operations and the sensitivity of the data type they can access. These policies simplify the definition of policies for each role. The name of each policy is derived using this template: Pol[Allow|Deny][Read|WriteDelete|Search|Tokenize|Detokeniz|All][Meta|Low|Med|High|PCI|All]. For example, the PolAllowReadLow policy allows read access to low-sensitivity data types, while the PolDenyAllHigh policy denies all operations on high-sensitivity data types.

Data sensitivities are defined based on data type as follows:

  • Low – gender, email.mask, and phone_number.mask
  • Medium – date_of_birth, zip_code_us, us_bank_routing, ssn.mask, ban.mask, and cc_number.mask
  • High – email, ssn, phone_number, name, address, us_bank_account_number, ban, cc_holder_name , and cc_expiration_string
  • PCI – cc_number and cc_cvv
  • Meta (all built-in properties) – _*

Note: standard data types aren't covered by any of these policies, as the sensitivity depends on the specific use.

Using these policies, each application and service is assigned policies that match its use case.

[roles]
# Humans
[roles.SecurityAdmin]
capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
"CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
"CapInfoReader", "CapSystemGCRunner"]
policies = ["PolDenyAllAll"]

[roles.Developer]
capabilities = ["CapIAMReader", "CapKMSWriter", "CapConfvarReader", "CapClusterInfoReader",
"CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapSchemaReader"]
policies = ["PolDenyAllAll"]

# Management entities
[roles.VaultScheduler]
capabilities = ["CapKMSReader", "CapKMSWriter", "CapSystemGCRunner"]
policies = ["PolDenyAllAll"]

[roles.CICD]
capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
"CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
"CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapSchemaReader"]
policies = ["PolDenyAllAll"]

## Services and applications
[roles.ExternalApplication]
capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]

[roles.InternalApplication]
capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowReadHigh", "PolAllowWriteDeleteHigh", "PolAllowSearchHigh"]

[roles.PrivilegedService]
capabilities = ["CapDataReader", "CapDataWriter", "CapDataSearcher", "CapTokensReader",
"CapTokensWriter", "CapTokensDetokenizer"]
policies = ["PolAllowAllMeta", "PolAllowAllLow", "PolAllowAllMed", "PolAllowAllHigh"]

[roles.TokensConsumer]
capabilities = ["CapTokensDetokenizer"]
policies = ["PolAllowDetokenizeAll", "PolDenyDetokenizePci"]

[users]

[users.SecurityAdmin]
role = "SecurityAdmin"

[users.Developer]
role = "Developer"

[users.VaultScheduler]
role = "VaultScheduler"

[users.CICD]
role = "CICD"

[users.Webapp]
role = "ExternalApplication"

[users.SupportApp]
role = "InternalApplication"

[users.IdentityService]
role = "PrivilegedService"

[users.TokensConsumer]
role = "TokensConsumer"