Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Cubbyhole to pass tokens #15

Closed
mp911de opened this issue Jun 27, 2016 · 4 comments
Closed

Support Cubbyhole to pass tokens #15

mp911de opened this issue Jun 27, 2016 · 4 comments
Assignees
@mp911de
Labels
type: enhancement

Comments

@mp911de
Copy link
Member

mp911de commented Jun 27, 2016

Spring Cloud Vault Config allows configuration of a static token spring.cloud.vault.token. Storing the token allows lookup attacks: The static key can be retrieved from the configuration by unauthorized users and can be used to access Vault.

Implementing a cubbyhole authentication for a short-lived (temporary) and long-lived (permanent) token can take advantage from token expiry. A short-lived token that allows a limited number of usages can be used by the application to obtain secrets from cubbyhole. The cubbyhole holds a long-lived token (or other credentials) which is used then to access Vault secrets.

Users could configure the short-lived token in spring.cloud.vault.token to obtain secrets from cubbyhole.

This approach prevents lookup attacks once the short-term token expires and reveals configuration issues/accesses to Vault is the short-lived token was used to access Vault because an application is no longer able to start up using the temporary token.
@mp911de mp911de changed the title Support Cubbyhole to pass keys Support Cubbyhole to pass tokens Jun 27, 2016
@jacmorel
Copy link

+1 That would be awesome!

@sirlatrom
Copy link

I'd like to point to the new response wrapping feature which might simplify solving this issue: https://www.vaultproject.io/docs/concepts/response-wrapping.html

@mp911de
Copy link
Member Author

mp911de commented Sep 17, 2016

Response wrapping is using cubbyhole to store responses at v1/cubbyhole/response and generates a token with a TTL. Currently, I think the approach could look like:

  1. Operator generates two tokens. A short and a long lived one
  2. The long lived is stored in a path below cubbyhole/…
  3. The short lived token and the path are configured in the app (spring.cloud.vault.cubbyhole.path)
  4. App is started and then you're good to go

Does this make sense?

I will also open a ticket to support wrapped cubbyhole responses but that's different from cubbyhole usage for authentication.

@sirlatrom
Copy link

Yes, that makes perfect sense. I'm not sure if it's relevant, but perhaps this method could be useful in determining whether the token has expired or already used:

A solution that works for me:
when creating a response-wrapped token you get:
1.token creation time
2. token's time to live
Adding these two and passing the result to the target-application helps you (in case of getting denial of token) determine which of the 2 occurred.

http://stackoverflow.com/a/38778650/801334

@mp911de mp911de mentioned this issue Sep 18, 2016
Closed
@mp911de mp911de self-assigned this Sep 21, 2016
spencergibb pushed a commit that referenced this issue Sep 14, 2023
@mp911de
Add support for cubbyhole authentication.
7c7aa05 
We now support cubbyhole authentication to securely use tokens. Cubbyhole authentication uses Vault primitives to provide a secured authentication workflow. Cubbyhole authentication uses tokens as primary login method.
An ephemeral token is used to obtain a second, login VaultToken from Vault's Cubbyhole secret backend. The login token is usually longer-lived and used to interact with Vault. The login token will be retrieved from a wrapped response stored at `/cubbyhole/response`.

A wrapped token can be created with:
vault token-create -wrap-ttl="10m"

boostrap.yml:
spring.cloud.vault:
    authentication: CUBBYHOLE
    token: (the wrapping token)

Fixes gh-15.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mp911de mp911de

Labels
type: enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacmorel @sirlatrom @mp911de