Password and keys
Understand Vault password access, user-key access, and their different powers.
The Vault has two authentication modes: password and user key.
Password access
The password is the administrative credential. It unlocks the Vault for operations that change shared project state:
- creating and editing project secrets;
- creating, renaming, and deleting environments;
- importing
.envfiles; - generating user keys;
- changing the password;
- reading decrypted snapshots.
The password is also used to derive encryption material for the store. Changing the password re-encrypts the password-protected material.
User-key access
A user key is generated from password-authenticated access and scoped to selected environments. It can read secrets in those environments and write per-user secrets, but it cannot administer the Vault.
Use user keys for applications, CI jobs, and developers who only need selected environments.
Environment scoping
When a user key is created, Fatima wraps access for the selected environments only. If the key is scoped to development, it cannot read production.
Rotation
Rotate access by creating a new user key, distributing it through your normal secret channel, and removing use of the old key. Rotate the password when administrative access should change.