Add updated wrapping information

2016-06-14 05:59:50 +00:00 · 2016-06-14 05:59:50 +00:00 · 04a03bcb54
parent 112a8e8870
commit 04a03bcb54
2 changed files with 11 additions and 0 deletions
--- a/website/source/docs/concepts/response-wrapping.html.md
+++ b/website/source/docs/concepts/response-wrapping.html.md
@ -51,3 +51,9 @@ trusted third party simply to ensure that the private key corresponding to the
 eventual certificate remains private. The end service can be assured that only
 it will see the generated private key and that any malfeasance is detected.
 This can significantly reduce the complexity of any relaying third party.
+
+One final note: if the wrapped response is an authentication response
+containing a Vault token, the token's accessor will be made available in the
+returned wrap information. This allows privileged callers to generate tokens
+for clients and revoke these tokens (and their created leases) at an
+appropriate time, while never being exposed to the actual generated token IDs.
--- a/website/source/docs/secrets/cubbyhole/index.html.md
+++ b/website/source/docs/secrets/cubbyhole/index.html.md
@ -58,6 +58,11 @@ If using the CLI, passing the wrapping token's ID to the `vault unwrap` command
 will return the original value; `-format` and `-field` can be set like with
 `vault read`.

+If the original response is an authentication response containing a token, the
+token's accessor will be made available to the caller. This allows a privileged
+caller to generate tokens for clients and be able to manage the tokens'
+lifecycle while not being exposed to the actual client token IDs.
+
 ## Quick Start

 The `cubbyhole` backend allows for writing keys with arbitrary values.