Skip to content

Reference: OpenBao Path Policies

On The Contain Platform, access permissions for secrets stored in the central OpenBao secrets store are determined by the path where a secret is created. This allows you to classify secrets based on their sensitivity and who (or what) should be able to access them.

The following outlines the available path structures and the policies that apply to each.

Default Path

  • Path Format: k8s/<cluster>/<namespace>/<secret-name>
  • Purpose: The default for most application secrets.
  • Permissions: Humans can create, update, and delete, but cannot read the value back from the store after it's been written. This is the most secure default, preventing accidental exposure of secrets.

Unrestricted Path

  • Path Format: k8s/<cluster>/<namespace>/unrestricted/<secret-name>
  • Purpose: For secrets that humans may need to read back, such as configuration or passwords for shared development tools.
  • Permissions: Humans can list, create, update, delete, and read.

Restricted Path

  • Path Format: k8s/<cluster>/<namespace>/restricted/<secret-name>
  • Purpose: For semi-automated secrets like temporary tokens that are managed by automation but may be created by a human.
  • Permissions: Can be created, updated, and deleted, but humans cannot read the values back.

Automated Path

  • Path Format: k8s/<cluster>/<namespace>/automated/<secret-name>
  • Purpose: For fully machine-managed secrets like service account keys or auto-rotated credentials.
  • Permissions: Humans can only list the secrets but cannot read, create, update, or delete them. This path is reserved for automated systems.