HashiCorp Cloud Platform
Establish a secure access control model
Before you begin managing secrets with HCP Vault Secrets, you need to configure the appropriate roles in HCP to ensure only the people and processes that need access to a secret are able to access it.
Prerequisites
- An existing HCP account
Design a permission strategy
Security teams design access and authorization workflows around the concept of least privilege. This means that an entity such as a Kubernetes pod, CI/CD pipeline, or developer can only access information and perform actions required by their job.
HCP Vault Secrets allows HCP administrators the ability to follow this model across HCP organizations, projects, and HCP Vault Secrets applications. You can assign roles with pre-defined permissions to both users, groups, and service principals. These include roles with broader permissions for administration and fine-grained roles with narrowly scoped permissions for applying least privilege control for secret access.
HCP users are typically individuals who need to interact with HCP resources through the HCP Portal or HCP CLI. Service principals authenticate from applications, hosted services, and automated tools. Both users and service principals can be added to groups.
A good practice is to assign roles at the group level, and limit assigning roles to individual users. This tutorial focuses on assigning roles to groups and granting those groups different levels of access within HCP Vault Secrets. You can also assign secrets access to an individual service principal to provide workload(s) access to only the secrets they need.
An example of the types of groups you will need includes:
HCP project admin group: Each project in your organization should have a group to assign the admin role. The admin role grants full access to a project for any user added to the group. The admin role is the only role permitted to view audit logs for HCP Vault Secrets. This group is not assigned any roles at the organization level.
HCP Vault Secrets global manager group: Once the admin group is established, create a group that can access all HCP Vault Secrets applications. This group is not assigned any roles at the organization level. You will assign this group the app manager role at the project level, and across any other projects where HCP Vault Secrets is enabled.
HCP Vault Secrets app manager group: Create another group with the app manager role that only has access to a single HCP Vault Secrets app. Unlike the global admin group, this group can only manage a single app in HCP Vault Secrets, in a single project.
HCP Vault Secrets app reader group: Create a group that allows access to read secrets from the app. This group can read static secrets, rotating secrets, and request dynamic secrets from HVS from a single app, in a single project.
The diagram visualizes what this access control model with least privilege principles applied looks like to limit access to only the secrets a user or workload requires.
Create groups
To complete this section, you will need access to an HCP IAM user account assigned either the HCP owner or admin role.
Launch the HCP Portal and login.
Click the project selection menu and click on the organization.
Click Access control (IAM).
Click Groups.
Click Create group.
In the Group name field enter
hvs_global_app_admins
and click Create group.Click Back to groups.
Click Create group again, enter
hvs_app_manager_exampleapplication
in the Group name field, and click Create group.In a later tutorial, you will create a app named
exampleapplication
. Thehvs_app_manager_exampleapplication
group and the HCP Vault Secrets app has a 1-to-1 relationship.Click Back to groups.
Click Create group again, enter
hvs_secret_reader_exampleapplication
in the Group name field, and click Create group.You created three groups in your HCP organization -
hvs_global_app_admins
,hvs_app_manager_exampleapplication
,hvs_secret_reader_exampleapplication
. These groups have no roles assigned at the organization level.
Assign project level access
To complete this section, you will need access to an HCP user account assigned either the HCP owner or admin role. Once you complete this section, any HCP user assigned the hvs_global_app_admins role can add or remove access to an app.
Click the project selection menu and select the project you wish to connect to. This tutorial uses a project named Production.
Click Access control (IAM).
Click Add new assignment.
Click the pulldown menu, enter
hvs
in the search textbox, and select hvs_global_app_admins.Click the Select service pulldown and select Secrets. Selecting this option will apply the role permissions across any app created in HCP Vault Secrets for the selected project.
Click the Select role(s) pulldown and click the checkbox for Vault Secrets App Manager.
Click Save. Any HCP user added to the hvs_global_app_admins group will have access to all apps created in HCP Vault Secrets.
Click Back to Dashboard.
Assign app level access
To complete this section, you will need access to an HCP IAM user account assigned project admin role or be a member of the hvs_global_app_admins group.
From the Overview page, click Vault Secrets.
The HCP Vault Secrets Overview page will load.
Click Create first app.
Enter
ExampleApplication
in the App name field and click Create App.Click Role assignments. The organization owner and the hvs_global_app_admins group have permission to the new application. The organization owner role has access to all HCP resources, and the hvs_global_app_admins group has access because it was assigned the App Manager role at the project level.
Click Add new assignment.
Click the pulldown menu, enter
hvs
in the search textbox, and select hvs_app_manager_exampleapplication.Click the Select role(s) pulldown and click the checkbox for Vault Secrets App Manager**. Because you are applying the role at the application level, this group will only have permission to the HCP Vault Secrets ExampleApplication app.
Click Save.
Click Add new assignment again, search for and select hvs_secret_reader_exampleapplication, select the Vault Secrets App Secret Reader role, then click Save.
The three groups you created all have access to the HCP Vault Secrets exampleapplication app. The hvs_app_manager_exampleapplication and hvs_secret_reader_exampleapplication groups only have access to this app because you assigned the roles at the app level. The hvs_global_app_admins group has access because you assigned the role at the HCP project level.
Next steps
In this tutorial you created groups and assigned roles to manage access to HCP Vault Secrets.
In the next section, you will see how to add secrets to HCP Vault Secrets.