Skip to content

Onboarding - What to Expect#

This document is to describe to Service Teams (customers) what they can expect from the Secrets Team when onboarding to HCP Vault.

Pre-Onboarding Steps#

  1. Service Team: Fill out the Service Level Readiness form for Vault. The Secrets Team will schedule a meeting to discuss use cases and next steps
  2. Secrets Team: Provide documentation to Service Team that includes:
    1. Internal Vault Documentation
    2. HashiCorp (vendor) Documentation
    3. RACI
  3. Secrets Team: Creates a Target Process story to track the work and determine the availability of resources and agreed upon timeline within both of the teams to complete the onboarding process.

Onboarding Steps#

  1. Secrets Team: Schedule an initial meeting (30 minutes) to go over the following:
    1. Discuss Service Team's current use of secrets
    2. Discuss Service Team's scope and use cases
    3. Brief overview of Vault
    4. Describe namespaces and discuss need for sub-namespaces
    5. Demonstrate Grouper Structure for Namespace Management
  2. Service Team/Secrets Team: Add team to the #hcp-vault slack channel for support and community discussion within the University
  3. Service Team: Submit the Vault Namespace Google Form to get a namespace created for Service Team's CESI unit.
    1. Please specify who will have update access within Grouper to control which users can be added/removed from their created group for namespace access.
  4. Service Team: Submit the Vault Sub-namespace Google Form to create any sub-namespaces that may be required Sub-namespaces are for CESI groups that have subteams within them that require further isolation of secrets.
  5. Secrets Team: Work with IAM to create the necessary grouper groups and provision the new namespace in Vault. Secrets Team with notify the Service Team when the namespace is ready.
  6. Service Team: A member or manager of the Service Team who was provisioned with update access in grouper in step 3 will add team members to grouper so they can access vault.
  7. Secrets Team: Schedule an onboarding meeting (30 minutes) to go over the following:
    1. How to log into Vault and access the Service Team's new namespace(s)
      1. CLI access
      2. GUI access
    2. Describe Vault's features and pre-configured namespace items (secrets engines, policies, etc.)
    3. Demo Vault functionality and show sample repo
    4. Begin discussing potential use cases and timeline of work with the Service Team
    5. Answer any other questions by the Service Team
  8. Secrets Team: Schedule 1-2+ (1 hour) meetings to guide the Service Team through 1-2 use cases. During these sessions the Secrets Team will go over:
    1. Vault Auth Methods & Vault Policies
    2. Either technical discussions or hands on work to enable one or two specific secrets use cases of the Service Team.
    3. Other best practices
  9. Service Team: Feel free to reach out to the Secrets Team at secrets-team@umn.edu to schedule any follow up sessions.