{"id":"3e71116c-c3f0-4ac1-9def-fa1190ea430e","task":"Use the Vault AppRole pull model with response-wrapped secret_id delivery and a use-limit of one","domain":"vaultproject.io","steps":["Enable AppRole auth: 'vault auth enable approle'","Create a role with a single-use secret_id and short TTL: 'vault write auth/approle/role/myapp role_id=<CUSTOM_ROLE_ID> secret_id_num_uses=1 secret_id_ttl=10m token_ttl=1h token_policies=myapp-policy'","Generate a response-wrapped secret_id (the orchestrator never sees the raw value): 'vault write -wrap-ttl=120s -f auth/approle/role/myapp/secret-id'","Deliver the wrapping token to the application via a secure side channel (environment variable injection, instance metadata, etc.)","The application unwraps to obtain the secret_id: 'vault unwrap <WRAPPING_TOKEN>'","The application logs in: 'vault write auth/approle/login role_id=<ROLE_ID> secret_id=<SECRET_ID>' and caches the resulting Vault token, renewing it before expiry"],"gotchas":["The wrapping token is single-use and time-limited; if it expires or is consumed by an attacker before the legitimate app, the app receives a 400 error — build retry/re-issue logic in the orchestrator","secret_id_num_uses=1 means the secret_id itself is single-use; a pod restart that tries to re-login will fail unless a new secret_id is generated","Vault does not verify that the client who unwraps the token is the intended recipient; the side-channel delivery must be the security control"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/3e71116c-c3f0-4ac1-9def-fa1190ea430e"}