Living Without Root Token

The Vault root token is the all-powerful way to login to Vault.

This token should only be used to setup the initial vault server and then be disabled.

This blog post will demonstrate how to safely remove your root token and run your day-to-day needs without it.

Vault Administrator Policy

The first thing we need to do is create a vault policy which will allow a subset of users to have the same level of access that a root token would grant.

First create the vault policy file.

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

Then you’ll need to write the proper policy

vault policy write vault-admins.hcl

Alternatively you can write directly to the sys/policy/<name> path

vault write sys/policy/vault-admins [email protected]

Create Users Using vault-admins Policy

Next, we enable the userpass authentication method.

vault auth enable userpass

Then we create users.

vault write auth/userpass/users/dcarter password=cangetin policies=vault-admins

Now we test the new admin user!

vault login -method userpass username=dcarter
... <snip> ...
vault secrets enable pki
Success! Enabled the pki secrets engine at: pki/

Removing the Root Token

After confirming that the admin role works you’ll want to remove the root token.

vault token revoke s.5uR1xpJvf6v33do9zPgjrTjC
Success! Revoked token (if it existed)

From this point on, most things can be done with the admin level users. == Re-creating the Root Token

If you get locked out of the admin level users, you may have to re-create a root token.

This is something that needs the full quorum of unseal key holders.

vault operator generate-root -init
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         49d030ae-b910-545a-b25b-29a2c7241114
Started       true
Progress      0/1
Complete      false
OTP           FKOWLuLKGo2N5uaXUCEgjjtOb4
OTP Length    26

Each unseal key holder will do the following command until quorum is reached

vault operator generate-root -otp="FKOWLuLKGo2N5uaXUCEgjjtOb4"
Operation nonce: 49d030ae-b910-545a-b25b-29a2c7241114
Unseal Key (will be hidden):
Nonce            49d030ae-b910-545a-b25b-29a2c7241114
Started          true
Progress         1/1
Complete         true
Encoded Token    NWUFbxkGFXwdNXY0dBxUb2YsKQoCGwYdMFE

You then decode the root token with the -decode command

vault operator generate-root -decode=NWUFbxkGFXwdNXY0dBxUb2YsKQoCGwYdMFE -otp FKOWLuLKGo2N5uaXUCEgjjtOb4

Optionally there are pgp flags you can pass to the generate-root command to encrypt the root token.