X-Vault-Token significance in vault authentication

1,474 views
Skip to first unread message

Siddhesh Divekar

unread,
Sep 20, 2019, 2:02:23 AM9/20/19
to Vault
Hi All,

I recently started playing with vault so have some basic questions.
In almost all the authentication apis we have to pass X-Vault-Token.

curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \

Is X-Vault-Token having only unwrap permission/policy attached to it ?

Only approle api takes role-id and secret-id and gives back access token.
However to renew this access token we again need X-Vault-Token.

curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \

Is X-Vault-Token just having renew permission/policy attached to it ?

What should be the ideal minimum policies/capabilites associated with X-Vault-Token ?

Thanks,
-Siddhesh

Michel Vocks

unread,
Sep 20, 2019, 5:15:01 AM9/20/19
to Vault
Hi there and welcome to Vault!

Vault uses the token to authenticate and authorize your requests. I recommend having a look at the token documentation: https://www.vaultproject.io/docs/internals/token.html
And also the token learning guide can be quite helpful: https://learn.hashicorp.com/vault/security/tokens

Only approle api takes role-id and secret-id and gives back access token.
However to renew this access token we again need X-Vault-Token.

Every authentication engine usually returns a Vault token. This token should be used for further requests and it also contains a TTL (time-to-live) value.
A token can be seen as a session key which signals Vault who is requesting the API endpoint and which permissions does he have. If the TTL expires, the token will be revoked (your session ends).
The token renew API endpoint allows the user to renew the TTL attached to the supplied token.

What should be the ideal minimum policies/capabilites associated with X-Vault-Token ?

That really depends on your use-case. We recommend following the principle of least privilege where you only attach capabilities to different paths which are needed for this user.

Cheers,
Michel

Siddhesh Divekar

unread,
Sep 20, 2019, 4:14:13 PM9/20/19
to vault...@googlegroups.com
Thanks Michel.

In case of approle what would be the recommended approach.
Admin creates roleid, secretid and gives it to app. 
App generates the token and renews the token as needed ?

Or 

Admin create a role id and create X-Vault-Token which has permissions
to create secretid and give both to app.
App creates a secretid and then generates token to enable/create secrets.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ee844b37-401e-4366-a87c-c95cba864794%40googlegroups.com.


--
-Siddhesh.

Michel Vocks

unread,
Sep 24, 2019, 3:08:51 AM9/24/19
to Vault
Hi Siddhesh,

I recommend to have a look at our AppRole Authentication guide. It includes a special section which tackels this question: https://www.vaultproject.io/guides/identity/authentication#advanced-features

Cheers,
Michel

Siddhesh Divekar

unread,
Sep 24, 2019, 10:24:57 AM9/24/19
to vault...@googlegroups.com
Hi Michel,

Thanks for the pointer.

I already took a look at that but currently we don't have all the entities which the example talks about.
Thats why I was doing admin creating roleid and secretid and feed it to app. Let me see how we can fit that in. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1a44366a-0b30-424f-b047-9505c2f4b598%40googlegroups.com.


--
-Siddhesh.
Reply all
Reply to author
Forward
0 new messages