Valt secret engine plugin for Paseto
Due to the fact that is a custom dynamic secret engine, is not enabled by default, so you have to enable it manually with the following command:
vault secrets enable -path=<path> pasetoWhere <path> is the path where will be activated the dynamic secret engine plugin
This plugin needs to be configured firstly, with two simple parameters:
- ttl: the expiration time of each token that will be released at every token invocation
- footer: a discriminant parameter that is appended to the token
This kind of setup is done through the following command :
vault write <path>/paseto/config footer="whatever" ttl=120to check the just written configuration you can hit:
vault read <path>/paseto/configOnce the plugin is configured, accordingly to the ACL set (see ACL section below), you can access to :
-
/paseto/token : if you are allowed to access to this path, it will return a paseto compliant token with the expiration time set in the
ttlconfiguration previously set -
/paseto/public : if you are allowed to access to this path, it will return the public key
-
/paseto/config : if you are allowed to access to this path, it will give you the configuration previously set
the <path> is intended to match with the configuration path previously set
As requested we makes 2 roles:
- owner : (aka the server) will have access to the configuration and public
- clients: will have access to the token entrypoints