Default policy has sys/leases/renew, wont this allow a bad actor to extend the lease of dynamic secret

saipranav · October 13, 2020, 11:22pm

Curious and trying to learn,

I saw sys/leases/renew in default vault policy which can renew any lease given a lease id.
Assuming if vault admins are under the assumption, they have is short lived dynamic secrets, and these automatically expire example iam user from aws secret engine.

I understand renew-self is essential and best in default policy.

If a bad actor can get the lease id, not sure how they can get it ( from sys/leases or at the time of creation ). They can renew and keep using the dynamic secrets even if vault admin assumes its short lived.

There are multiple baseless assumptions here! like how does the bad actor get lease id?, can vault admin not watch logs?

Just thinking out loud if I need to remove sys/leases/renew from default policy and add it where ever needed and its implications.

ncabatoff · October 14, 2020, 4:47pm

Hi saipranav,

We consider lease IDs sensitive information for reasons such as the one you describe. As such, we never log them, we don’t usually expose them (the list lease endpoint requires sudo), API endpoints that take a lease ID must be POSTs rather than GETs even if they’re merely queries, they cannot occur in storage paths, etc.

That said, it’s not a bad idea to remove sys/leases/renew from the default policy. If you don’t need it, least privilege is usually safest.

saipranav · October 14, 2020, 5:07pm

Thanks for the reply. Thanks for maintaining such a great product.