25.6. Storing a Common Secret for Multiple Users
This section shows how an administrator can create a shared vault and allow other users to access the secret in the vault. The administrator archives a common password into the vault, and the other users are able to retrieve the password on any machine in the domain.
This section includes these procedures:
In the procedures:
shared_vault
is the vault used to store the common passwordadmin
is the administrator who creates the shared vault- the vault type is
standard
, so that accessing the archived password does not require the user to provide a vault password secret.txt
is the file containing the common secretuser1
anduser2
are the users allowed to access the vault
25.6.1. Creating the Shared Vault with the Common Secret
Create a shared vault and use it to store the common secret. Add the users who will be accessing the secret as vault members. The vault type is standard, which ensures any user accessing the secret will not be required to authenticate.
- Log in as the administrator:
$ kinit admin
- Create the shared vault:
$ ipa vault-add shared_vault --shared --type standard --------------------------- Added vault "shared_vault" --------------------------- Vault name: shared_vault Type: standard Owner users: admin Shared vault: True
- Archive the secret into the vault. Add the
--shared
option to specify that the vault is in the shared container:$ ipa vault-archive shared_vault --shared --in secret.txt ----------------------------------- Archived data into vault "shared_vault" -----------------------------------
NoteOne vault can only store one secret. - Add
user1
anduser2
as vault members:ipa vault-add-member shared_vault --shared --users={user1,user2} Vault name: shared_vault Type: standard Owner users: admin Shared vault: True Member users: user1, user2 ------------------------- Number of members added 2 -------------------------
25.6.2. Retrieving a Secret from a Shared Vault as a Member User
Log in as a member user of the vault, and export the file with the secret from the vault.
- Log in as the
user1
member user:$ kinit user1
- Retrieve the secret from the shared vault:
$ ipa vault-retrieve shared_vault --shared --out secret_exported.txt ----------------------------------------- Retrieved data from vault "shared_vault" -----------------------------------------