My vault server deployment is behind an AWS ELB/ALB which NATs any source IP but will insert an X-Forwarded-For header. I want to restrict tokens to particular source IP ranges, can I use the IP’s in the X-Forwarded-for header to match IP’s listed in ‘token_bound_cidrs’ in an AppRole.
Thanks
Steve
Hi, Steve!
I had the same issue recently where I had set up bound_cidrs for the secret_id and resulting tokens and noticed that my LB’s NATing was getting in the way of good functionality. Looks like there’s a config item in the Vault server TCP listener block in which you can specify a trusted range of CIDRs for honoring X-Forwarded-For headers, so in our case, we’ll set that to our private LB subnets. There are a few other X-Forwarded-For related knobs to twiddle there, too.
Here’s the link to the docs on that listener config, I hope that helps you out:
All best,
Caitlin
I’m with the same situation here, but on-premises. @ccqw, the question is about the IP that is doing the Vault request, we’re getting the LB IP instead of the client IP. It is a problem if you want to filter the source of a KV request by a CIDR.
@steven-cherry, did you found a solution?