Add updated wrapping information

This commit is contained in:
Jeff Mitchell 2016-06-14 05:59:50 +00:00
parent 112a8e8870
commit 04a03bcb54
2 changed files with 11 additions and 0 deletions

View file

@ -51,3 +51,9 @@ trusted third party simply to ensure that the private key corresponding to the
eventual certificate remains private. The end service can be assured that only
it will see the generated private key and that any malfeasance is detected.
This can significantly reduce the complexity of any relaying third party.
One final note: if the wrapped response is an authentication response
containing a Vault token, the token's accessor will be made available in the
returned wrap information. This allows privileged callers to generate tokens
for clients and revoke these tokens (and their created leases) at an
appropriate time, while never being exposed to the actual generated token IDs.

View file

@ -58,6 +58,11 @@ If using the CLI, passing the wrapping token's ID to the `vault unwrap` command
will return the original value; `-format` and `-field` can be set like with
`vault read`.
If the original response is an authentication response containing a token, the
token's accessor will be made available to the caller. This allows a privileged
caller to generate tokens for clients and be able to manage the tokens'
lifecycle while not being exposed to the actual client token IDs.
## Quick Start
The `cubbyhole` backend allows for writing keys with arbitrary values.