Permit one "entity" to create a wrapped token but not be able to unwrap it?

lyndsey-ferguson · March 30, 2021, 12:28am

Is there a way to require that two “entities” coordinate in order to:

create a token that allows an action
use that token to actually perform the action

For example, A wants to write to auth/userpass/users/mom and has to ask B: “please create me a token that allows me to write to mom”. B creates the token that allows the creation of auth/userpass/users/mom (or even auth/userpass/users/*). B, somehow cannot use that token, but A can. A gets the token from B, and creates the auth/userpass/users/mom.

It could also be the other way around, B wants to write to auth/userpass/users/dad and ask A, “please create me a token…”…

Does that make sense? Is it possible with Vault?

lyndsey-ferguson · March 30, 2021, 12:30am

I know that I could probably enforce the rules with audits and alerts to watch for unwraps by the same auth entity, but I’d like to know if there is a way to prevent it rather than alert on such an event.

grantorchard1 · April 6, 2021, 1:54pm

You could write appropriate policies for sys/wrapping/unwrap and sys/wrapping/wrap. I’m not sure exactly what the use case is here, but it may also be worth looking at control groups.

Cheers,
Grant

lyndsey-ferguson · April 13, 2021, 11:18am

Hi Grant,

Control Groups are exactly what I was looking for, thank you.