How to prevent token being stole

Does it mean, if the token or username and password are stolen, anyone can use that token(userpass) to access the vault server? if that is the case, how do i secure a token(userpass) from being stolen?

First of all read the production hardening guide:

At the end you can create an admin/ root like policy ( and let vault rotate the root token so that even you won’t have it.


Hi Wolfsrudel,

Thank you for your reply, let’s say I use curl to access secret

curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{ "data": {"password": "my-long-password"} }' \ | jq -r ".data"

If $VAULT_TOKEN is stolen, anyone can use this token to retrieve secret from vault, is that correct?
I am using vault agent to access secret in vault secret. What will be the best practise to secure accessing the data

Yes, that’s true. The root token is the God like access to Vault. :wink:

You should follow the principle of least privilege:

Definition of the Principle of Least Privilege (POLP)
The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function.