Add the ability to restrict token usage by IP. Add to token roles. #4412
Conversation
| break | ||
| } | ||
| } | ||
| if !valid { |
There was a problem hiding this comment.
Can we add a server log entry here indicating the reason for failure? It otherwise may be hard to find out the cause for the denial. Or, how about a new error to indicate that this is from a CIDR check failure?
There was a problem hiding this comment.
We don't do that for any other type of authorization denied. If we're going to start naming types (which I'm not convinced we should do) then we should do it throughout.
| for _, v := range boundCIDRs { | ||
| parsedCIDR, err := sockaddr.NewSockAddr(v) | ||
| if err != nil { | ||
| return logical.ErrorResponse(errwrap.Wrapf(fmt.Sprintf("invalid value %q when parsing bound cidrs: {{err}}", v), err).Error()), nil |
There was a problem hiding this comment.
Can we remove the usage of errwrap here? It may not serve anything since we are converting the error into a string argument.
There was a problem hiding this comment.
Formats it in a sanitized way though
|
I found this issue looking for a way to restrict a vault token to only be used from an ec2 instance with a given instance profile. The ec2 instance logs in using the aws auth, but we dont see a way in the docs to restrict the token usage to the given instance profile. If I can only restrict token usage by IP address thats fine, but I dont see how to do that in the docs either. Can you help me out @jefferai or @vishalnayak ? |
|
Looks like @tyrannosaurus-becks is the hero I need to add |
Fixes #815