bound_cidr_list in Approle is not restricting request for authentication from other ip than the mentioned one #3752
Comments
|
The bound cidr list there affects only authentication conditions. Once you retrieve the token, the token itself is not bound to particular IPs. Follow #815 if you want to see any developments that may happen on that front. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Guys,
I have 3 servers with vault installed in and few applications running in other two servers. I am using Approle as Auth backend and i am trying to restrict access from all other ips except from . So i used the parameter bound_cidr_list= while using the command,
vault write auth/approle/role/<role_name> policy=<policy_name> bound_cidr_list=<server2_ip>/32
And i created role, role-id and secret-id. Using role-id and secret-id i generated token for passing it in my application. For testing purpose, i tried to query some secrets stored in vault which is running in from . As per the condition, i should not be authorised. But i am able to query for the secrets stored in vault from even after specifying bound_cidr_list.
Where am i going wrong ? Please help me out.
The text was updated successfully, but these errors were encountered: