So I have been looking into Vault, and saw that tokens are able to have CIDR bounding to them to allow only a certain subnet or IP range to use them, but was wondering for use with machines that don’t have a static IP is there a way to bind the tokens to the hardware (for example the MAC Address), rather than using the CIDR bound token method?
No, there isn’t.
MAC addresses are only visible within the network subnet they are used in, and don’t propagate through routers, so in any network of realistic size, the Vault server has no visibility of the MAC addresses of its clients.
A better approach is to work on securing the authentication method, and using reasonably short lived tokens, and then you don’t need to worry about network binding.
1 Like
Not today, however we have inquired about opening an enhancement request for this feature. I’m not sure what the status of it is, but it would be interesting option to have.