Can the wrapping token be scoped to cidr?

ixe013 · October 10, 2019, 5:42pm

I have a pki mount. I can issue certificates from it with this command:

vault write pki/issue/issuerRole common_name=test1.example.com

But I don’t want the script that issues that command to see the private key, so I wrap it by adding -wrap-ttl 60m to the command:

vault write -wrap-ttl 60m pki/issue/issuerRole common_name=test1.example.com

I get back something like this:

Key                              Value
---                              -----
wrapping_token:                  s.bKA6FFKYqLY6S5BlcmPSKUAy
wrapping_accessor:               gRCRbs8EKcypPrg7y2nCZzgF
wrapping_token_ttl:              1h
wrapping_token_creation_time:    2019-10-10 13:09:47.1881939 -0400 EDT
wrapping_token_creation_path:    pki/issue/issuerRole

As expected, I can retreive the certificate and private key by calling:

vault unwrap s.bKA6FFKYqLY6S5BlcmPSKUAy

How can I put restrictions like source IP or subnet on the unwrapping token (other than duration and num uses) ?

ncabatoff · October 14, 2019, 1:46pm

Hi Guillaume,

There is nothing I can think of builtin to Vault that would let you do that.

Topic		Replies	Views
Executing vault unwrap Vault	3	250	April 4, 2024
Using vault on VM ( VistualMachine) Vault	1	525	December 20, 2021
Permit one "entity" to create a wrapped token but not be able to unwrap it? Vault	3	301	April 13, 2021
Forget vault root token Vault	10	3829	December 8, 2020
Can't write response response wrapped secret-id with adequate policy Vault	1	311	December 31, 2021

Can the wrapping token be scoped to cidr?

Related topics