You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To reduce the chances that Vault tokens with Admin access can be intercepted and used maliciously, I propose that we bind these tokens to the clusters CIDR block through the use of token_bound_cidrs. This will require admins to port-forward through the cluster to access Vault for administrative tasks. Though it's an added inconvenience, I believe that this is an effective compromise in the name of security.
Currently when logging in with OIDC, admins will get a token with admin access automatically. I recommend that we make the Admin access to Vault an explicitly requested role so as to reduce the generation of tokens that have Admin access unnecessarily.
The text was updated successfully, but these errors were encountered:
To reduce the chances that Vault tokens with Admin access can be intercepted and used maliciously, I propose that we bind these tokens to the clusters CIDR block through the use of token_bound_cidrs. This will require admins to port-forward through the cluster to access Vault for administrative tasks. Though it's an added inconvenience, I believe that this is an effective compromise in the name of security.
Currently when logging in with OIDC, admins will get a token with admin access automatically. I recommend that we make the Admin access to Vault an explicitly requested role so as to reduce the generation of tokens that have Admin access unnecessarily.
The text was updated successfully, but these errors were encountered: