Bearer authentication
Vault requires anAuthorization: Bearer <token> header on Encrypt, Decrypt, and ReEncrypt RPCs. The token must match bearer_token from the service config. Missing or invalid tokens return Unauthenticated. Liveness does not require authentication.
The token is compared using constant-time equality to avoid timing leaks.
Token rotation
Vault does not manage token rotation. You must update the token in AWS Secrets Manager and roll the deployment. Runtime callers that embed the bearer token:- API service (
svc/api/run.go) - Frontline service and certificate manager (
svc/frontline/run.go,svc/frontline/services/certmanager/service.go) - Krane service and secrets service (
svc/krane/run.go,svc/krane/secrets/service.go) - Control plane worker and workflows (
svc/ctrl/worker/run.go,svc/ctrl/worker/deploy/service.go,svc/ctrl/worker/certificate/service.go,svc/ctrl/worker/clickhouseuser/service.go) - Control ACME user service (
svc/ctrl/services/acme/user.go) - Analytics connection manager (
internal/services/analytics/service.go)