25.6. Storing a Common Secret for Multiple Users

This section shows how an administrator can create a shared vault and allow other users to access the secret in the vault. The administrator archives a common password into the vault, and the other users are able to retrieve the password on any machine in the domain.
This section includes these procedures:
In the procedures:
  • shared_vault is the vault used to store the common password
  • admin is the administrator who creates the shared vault
  • the vault type is standard, so that accessing the archived password does not require the user to provide a vault password
  • secret.txt is the file containing the common secret
  • user1 and user2 are the users allowed to access the vault

25.6.1. Creating the Shared Vault with the Common Secret

Create a shared vault and use it to store the common secret. Add the users who will be accessing the secret as vault members. The vault type is standard, which ensures any user accessing the secret will not be required to authenticate.
  1. Log in as the administrator:
    $ kinit admin
  2. Create the shared vault:
    $ ipa vault-add shared_vault --shared --type standard
    ---------------------------
    Added vault "shared_vault"
    ---------------------------
      Vault name: shared_vault
      Type: standard
      Owner users: admin
      Shared vault: True
  3. Archive the secret into the vault. Add the --shared option to specify that the vault is in the shared container:
    $ ipa vault-archive shared_vault --shared --in secret.txt
    -----------------------------------
    Archived data into vault "shared_vault"
    -----------------------------------

    Note

    One vault can only store one secret.
  4. Add user1 and user2 as vault members:
    ipa vault-add-member shared_vault --shared --users={user1,user2}
    Vault name: shared_vault
    Type: standard
    Owner users: admin
    Shared vault: True
    Member users: user1, user2
    -------------------------
    Number of members added 2
    -------------------------

25.6.2. Retrieving a Secret from a Shared Vault as a Member User

Log in as a member user of the vault, and export the file with the secret from the vault.
  1. Log in as the user1 member user:
    $ kinit user1
  2. Retrieve the secret from the shared vault:
    $ ipa vault-retrieve shared_vault --shared --out secret_exported.txt
    -----------------------------------------
    Retrieved data from vault "shared_vault"
    -----------------------------------------