I have issued a token X(The token is permanent but has restricted access) to my application A to access some secrets. I want to know if there is some authorization management inside of Vault itself that can help in identifying that the app that is accessing with Token X is Application ‘A’ itself and not some other entity.
What I mean is that no other person except for App ‘A’ should be able to access Vault with Token X.
There are third-party authorization methods(like github, AWS,Google), but they will increase the time/request for my application. Is there any way around it?
Not really. As far as Vault is concerned it just sees an API call with a token. It has no visibility over who is sending that API call. About the only thing you could do is to restrict the IP address that can use that token, but there is no way of knowing if the call comes from the expected app (from that allowed IP address) or something else running on the same machine.
There are no permanent restricted access tokens in Vault.
Thanks for the quick response. I guess, I was also looking for some confirmation at the end.
Here I meant two points :-
- Permamnent in sense that it`s ttl is infinite like a root token.
- Restricted as in if I have n number of secrets, the token is only allow to read/write a few of them .
Not possible - Vault does not permit tokens other than root tokens to have infinite TTL.