Permit one "entity" to create a wrapped token but not be able to unwrap it?

Is there a way to require that two “entities” coordinate in order to:

  1. create a token that allows an action
  2. use that token to actually perform the action

For example, A wants to write to auth/userpass/users/mom and has to ask B: “please create me a token that allows me to write to mom”. B creates the token that allows the creation of auth/userpass/users/mom (or even auth/userpass/users/*). B, somehow cannot use that token, but A can. A gets the token from B, and creates the auth/userpass/users/mom.

It could also be the other way around, B wants to write to auth/userpass/users/dad and ask A, “please create me a token…”…

Does that make sense? Is it possible with Vault?

I know that I could probably enforce the rules with audits and alerts to watch for unwraps by the same auth entity, but I’d like to know if there is a way to prevent it rather than alert on such an event.

You could write appropriate policies for sys/wrapping/unwrap and sys/wrapping/wrap. I’m not sure exactly what the use case is here, but it may also be worth looking at control groups.


Hi Grant,

Control Groups are exactly what I was looking for, thank you.

1 Like