Since terraform requires /auth/token/create with “update” capabilities to create a token (short ttl) to apply the terraform configuration to vault, doesn’t this mean that they can also create new token using any of the policies (except for root) once they login to the vault?
I have vault deployed in Kubernetes and my current setup is that user retrieves a vault token using OIDC/okta and then that token is used to create new policies, and configure kubernetes auth method and render secrets for the k8s deployment.
Any idea on how I can create a flow where the user who is authenticated can create policies, secrets, and configure kubernetes auth for for k8s deployment, but not be able to create tokens other than for terraform to do its initial token creation?
If anyone can help me guide in the right direction, it’d be much appreciated, thank you!
Link to vault requiring to create its own short ttl child token for related tasks.