Migration Guide
Move from static secrets to hardware-backed credentials without disrupting your team
Migrating to Vouch does not have to be all-or-nothing. You can install Vouch alongside your existing credentials and migrate one integration at a time. This guide walks through a phased rollout, a per-integration checklist, and a rollback plan.
Phase 1 – Install and enroll
Install the Vouch CLI alongside your existing credential setup. Nothing changes yet.
- Install the CLI on each developer’s machine. See Getting Started.
- Enroll YubiKeys with the Vouch server. Each developer runs
vouch enroll. - Test login. Each developer runs
vouch loginand verifies they can authenticate.
At this point, Vouch is installed but no integrations are active. Existing SSH keys, AWS access keys, and GitHub PATs continue to work as before.
Phase 2 – Migrate integrations one at a time
Pick one integration to migrate first. AWS is recommended because credential_process works alongside existing credentials without conflict.
Migration order (recommended)
| Order | Integration | Why first/last |
|---|---|---|
| 1 | AWS | credential_process adds a new profile. Existing profiles and access keys are unaffected. |
| 2 | SSH | Vouch SSH certificates work alongside existing SSH keys. The SSH agent falls back to keys if the certificate is unavailable. |
| 3 | GitHub | Git credential helpers can be stacked. Vouch adds a new helper without removing existing ones. |
| 4 | Docker | Docker credential helpers can be configured per registry. Migrate one registry at a time. |
| 5 | CodeCommit | Requires AWS integration to be working first. |
| 6 | CodeArtifact | Requires AWS integration to be working first. |
| 7 | EKS | Requires AWS integration and kubectl configuration. |
| 8 | Databases | Requires AWS integration and application-level changes for IAM auth. |
Per-integration checklist
For each integration:
- Configure the integration using
vouch setup <integration>. - Test with one developer before rolling out to the team.
- Verify the tool works with Vouch credentials (e.g.,
aws s3 ls --profile vouch,ssh user@server,git push). - Run for one week with both Vouch and static credentials available.
- Migrate the rest of the team once the pilot developer confirms it works.
Phase 3 – Revoke old credentials
After each integration is working with Vouch for the entire team, revoke the static credentials it replaced:
AWS access keys
# List existing access keys
aws iam list-access-keys --user-name alice
# Deactivate first (in case you need to re-enable)
aws iam update-access-key --user-name alice --access-key-id AKIAXXXXXXXX --status Inactive
# Delete after confirming everything works
aws iam delete-access-key --user-name alice --access-key-id AKIAXXXXXXXX
Check ~/.aws/credentials on each developer’s machine and remove static entries.
SSH keys
- Remove old public keys from
~/.ssh/authorized_keyson servers (or from your configuration management tool). - Keep the Vouch CA public key as the only trusted signer in
sshd_config. - Developers can keep their SSH key files locally as a fallback, or remove them.
GitHub PATs
- Navigate to GitHub Settings > Developer settings > Personal access tokens.
- Revoke tokens that were used for repository access.
- Verify that
git pushstill works with the Vouch credential helper.
Docker credentials
- Check
~/.docker/config.jsonfor stored registry credentials. - Remove entries for registries now handled by Vouch.
CI/CD considerations
CI/CD pipelines typically do not have YubiKeys. They will continue to use their existing credential mechanisms:
| CI/CD pattern | Recommendation |
|---|---|
| GitHub Actions | Use OIDC federation with GitHub’s built-in OIDC provider (token.actions.githubusercontent.com). This is separate from Vouch and provides the same STS-based authentication for pipelines. |
| AWS CodeBuild / CodePipeline | Use IAM roles attached to the build environment. No static keys needed. |
| Jenkins / GitLab CI | Use IAM roles if running on EC2, or Vouch CI/CD integration for human approval gates. |
| Static keys in CI/CD | If your pipeline currently uses static AWS keys, keep them for now. Replace them with OIDC federation (GitHub Actions) or IAM roles (EC2-based runners) as a separate project. |
Vouch’s CI/CD integration is designed for human approval gates (e.g., requiring a YubiKey tap before a production deployment), not for replacing machine credentials in automated pipelines.
Rollback plan
If you need to revert to static credentials for any integration:
AWS
- Re-enable or re-create IAM access keys for affected users.
- Update
~/.aws/credentialswith the static keys. - Remove or comment out the
credential_processline in~/.aws/configfor the Vouch profile.
SSH
- Re-add public keys to
~/.ssh/authorized_keyson servers. - Ensure
IdentityFileentries in~/.ssh/configpoint to the static keys. - SSH falls back to keys automatically if the Vouch certificate is unavailable.
GitHub
- Generate a new GitHub PAT.
- Update the Git credential helper or set
GIT_ASKPASSto use the PAT. - Remove the Vouch credential helper entry from
~/.gitconfig.
Docker
- Run
docker login <registry>with static credentials. - Remove the Vouch credential helper from
~/.docker/config.json.
Verification checklist
After completing migration for all integrations:
- All developers can
vouch loginand access all required services. - No static AWS access keys remain active in IAM.
- No static SSH keys remain in
authorized_keys(only the Vouch CA is trusted). - No GitHub PATs remain active.
- CI/CD pipelines continue to function with their own credential mechanisms.
- SCIM provisioning is configured for automated onboarding/offboarding (recommended for teams > 15 people).
- Break-glass procedures are documented for emergency access without Vouch. See Availability.