Introduction
In HCP Vault, each Vault cluster has an admin
namespace configured by the platform by default when the cluster is created. The root namespace is not accessible in HCP Vault - more information on this can be found here. To initially access the admin
namespace in HCP Vault, you will need to generate an admin token via HCP. The default admin
namespace name is not currently configurable and unfortunately we do not have any information on if/when this may change. Operators can create namespaces within the admin namespace as needed to suit your operational needs.
Use Case
Namespaces are a key part of how we balance both security and operability with HCP Vault. When a new cluster is bootstrapped, the platform uses the initial root token to generate a MSP token and then revokes the initial root token. The MSP token has very limited permissions at the root namespace, but does not have access to the admin namespace, and thus cannot access customer data.
Additionally, by limiting changes to the config at the root namespace, we prevent a lot of failure potential that might be inadvertently induced. A subset of functionality that would otherwise be accessed via the root namespace is provided via the HCP portal. More information on the MSP policy can be found here.
Additional Links
https://learn.hashicorp.com/tutorials/cloud/vault-namespaces
https://learn.hashicorp.com/tutorials/vault/namespaces
https://www.vaultproject.io/docs/enterprise/namespaces