Every credential MAEL uses — JWT signing keys, LLM provider keys, per-tenant integration credentials — lives in Vault; PostgreSQL only holds a Vault path reference. scripts/vault-bootstrap.sh is the one-time setup script, idempotent (every step checks before it creates, so re-running after a partial failure is safe).

What it does, in order

  1. vault operator init (recovery keys)
  2. Enables a file audit device
  3. Enables KV v2 mounts: seo-ai-os (component config) and secret (VaultClient’s tenant-credential mount point)
  4. Enables Kubernetes auth (for the Vault Agent Injector, on the Kubernetes deployment path)
  5. Enables AppRole auth (runtime identity for the api/worker processes, on any deployment path, including a single VPS)
  6. Writes every policy from helm/vault/policies/

Prerequisites

  • vault CLI, with VAULT_ADDR exported
  • After init: VAULT_TOKEN exported (the initial root token — revoke it once bootstrap and credential migration are done)
This script’s Kubernetes-auth step assumes an in-cluster Vault (see Kubernetes deployment). On a single VPS (VPS deployment), skip Kubernetes auth entirely and use AppRole only — production Settings validation only requires vault_approle_role_id, never Kubernetes auth specifically.

Remaining manual steps

The script prints these at the end — deliberately manual, since they touch real credentials:
  1. Generate a secret-id per runtime AppRole
  2. Write each component’s config secret (APP_SECRET_KEY, DATABASE_URL, REDIS_URL, etc.) via vault kv put
  3. Migrate existing credentials: python scripts/vault_migrate_credentials.py --help
  4. Revoke the initial root token

Security architecture