Can the wrapping token be scoped to cidr?

I have a pki mount. I can issue certificates from it with this command:

vault write pki/issue/issuerRole common_name=test1.example.com

But I don’t want the script that issues that command to see the private key, so I wrap it by adding -wrap-ttl 60m to the command:

vault write -wrap-ttl 60m pki/issue/issuerRole common_name=test1.example.com

I get back something like this:

Key                              Value
---                              -----
wrapping_token:                  s.bKA6FFKYqLY6S5BlcmPSKUAy
wrapping_accessor:               gRCRbs8EKcypPrg7y2nCZzgF
wrapping_token_ttl:              1h
wrapping_token_creation_time:    2019-10-10 13:09:47.1881939 -0400 EDT
wrapping_token_creation_path:    pki/issue/issuerRole

As expected, I can retreive the certificate and private key by calling:

vault unwrap s.bKA6FFKYqLY6S5BlcmPSKUAy

How can I put restrictions like source IP or subnet on the unwrapping token (other than duration and num uses) ?

Hi Guillaume,

There is nothing I can think of builtin to Vault that would let you do that.