Curious and trying to learn,
I saw sys/leases/renew in default vault policy which can renew any lease given a lease id.
Assuming if vault admins are under the assumption, they have is short lived dynamic secrets, and these automatically expire example iam user from aws secret engine.
I understand renew-self is essential and best in default policy.
If a bad actor can get the lease id, not sure how they can get it ( from sys/leases or at the time of creation ). They can renew and keep using the dynamic secrets even if vault admin assumes its short lived.
There are multiple baseless assumptions here! like how does the bad actor get lease id?, can vault admin not watch logs?
Just thinking out loud if I need to remove sys/leases/renew from default policy and add it where ever needed and its implications.