Revoking tokens issued by a compromised AppRole

[Christophe T.D.]

Hi, 

I have several applications, each one having an AppRole with particular policies attached to it.

$ vault list auth/approle/role/

Keys

----

myservice

To login, each application uses its role ID and a secret ID in order to get a token, and then authenticate to Vault.

$ vault write auth/approle/login role_id=xxx secret_id=xxx

Key                     Value

---                     -----

token                   c0e85e79-c971-ce59-ac0a-b7b02186b86f

token_accessor          ff45cb52-570b-b619-99d6-2d167a19a78c

token_duration          768h0m0s

token_renewable         true

token_policies          [default myservice-policy]

token_meta_role_name    "myservice"

Typically, I'd be storing the role ID and secret ID in the configuration file of the application.

Now, let's assume one application gets compromised. How can I revoke all tokens issued to a specific application, as well as its role ID and secret ID?

- If I remove the role (vault delete auth/approle/role/myservice), the role ID and secret ID of the application can't be used to issue new tokens, but the tokens already issued stay valid
- I could do it manually by:

    - listing all the tokens issued to the application using vault list auth/token/accessors

    - for each of these token accessors, get his properties via vault write auth/token/lookup-accessor accessor=xxx
    - check if the metadata has the information role_name=myservice

    - if this is the case, revoke the token using vault write auth/token/revoke-accessor accessor=xxx

 ... but this seems highly unscalable and error-prone.

Any idea or how this could be achieved? Ideally, it'd be something like vault write -f auth/approle/role/myservice/revoke. 

Thanks!

Christophe

[Chris Hoffman]

There is currently no easy way to accomplish this with the approle backend.  Normally, the recommendation would be to use revoke-prefix to revoke all credentials for the given login path.  In the case of AppRole, the login path is the same for all role_ids so a revoke-prefix will revoke all logins for the mount.  A potential solution would be to add the role_id to the login path.  I created a GitHub issue to track this issue https://github.com/hashicorp/vault/issues/3478.

Chris 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/97f08923-b45e-4e78-839e-02249c3a5548%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.