This seems like a pretty simple use case, but it would depend on some pretty recently added functionality which I might not understand yet:
A python script gets populated by configuration management on a few monitoring servers within a specific IP range.
def main():
args = get_args()
user, password = args.redis_credentials
... store creds in a local file owned by root, do stuff with this...
It should change to this:
def main():
args = get_args()
vault_token = args.approle_token_for_vault
user, password = get_creds_from_vault(token=vault_token, path="/secrets/redis/redis_credentials")
... store creds in a local file owned by root, do stuff with this...
This script needs a user/pass auth to a datastore.
Let's say that anything passed to the script goes into a file (e.g. an access token), shared on a bunch of machines. Provisioning is unpredictable, except for a specific subnet or IP address range.
Anyway, can I use Vault to restrict access to these shared credentials based on some kind of network identifier like MAC address or IP address?
Yes, I know, IP address restrictions are a "defense in depth" approach, and IP addresses can be spoofed. But the idea is to quickly make an incremental improvement to the existing security situation.