From f15f15cbd43f0960933ce31b9f36d93b23edfb23 Mon Sep 17 00:00:00 2001 From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> Date: Thu, 24 Apr 2025 18:31:35 +0000 Subject: [PATCH] backport of commit 1d1fd4b43606e2b610348f9217922d106ee3fa94 --- .../concepts/domain-model/credential-stores.mdx | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/website/content/docs/concepts/domain-model/credential-stores.mdx b/website/content/docs/concepts/domain-model/credential-stores.mdx index b176b00725..f1cad8a49f 100644 --- a/website/content/docs/concepts/domain-model/credential-stores.mdx +++ b/website/content/docs/concepts/domain-model/credential-stores.mdx @@ -8,20 +8,27 @@ description: >- # Credential stores A credential store is a resource -that can retrieve, store, and potentially generate [credentials][] +that can retrieve [credentials][] of differing types and differing access levels. It belongs to a [project][] and supports the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) by providing mechanisms to limit the [credentials][] it can access to the minimum necessary for the project it is in. -A credential store can also contain [credential libraries][]. + +Credential stores either generate or store credentials, depending on the type: + +- Vault credential stores contain [credential libraries][]. + You use credential libraries to issue credentials. + +- Static credential stores contain credentials, not credential libraries. + When you use static credential stores, the credentials are stored directly in Boundary. ## Attributes A credential store has the following configurable attributes: - `name` - (optional) - If set, the `name` must be unique within the credential store's [project][]. + If set, the `name` must be unique within the credential store's project. - `description` - (optional) @@ -63,7 +70,7 @@ A Vault credential store has the following additional attributes: This allows the use of private Vault instances with Boundary. Workers deployed in the same network as a private Vault instance can access and relay Vault requests to Boundary controllers. - ~> **Note:** A worker that matches the worker filter must exist before defining the Vault credential store, as it + A worker that matches the worker filter must exist before defining the Vault credential store, as it will perform the Vault calls needed to set up the credential store with Boundary. ### Static credential store attributes @@ -99,7 +106,7 @@ All tokens must also have the capabilities of the ### Vault policies The credential store's token must have the capabilities to issue credentials for -each of it's [credential libraries][] plus the capabilities of the +each of its credential libraries plus the capabilities of the [Vault Boundary Controller Policy][token_policy] described below. We recommend creating a unique Vault policy for each Vault credential store that