The vault doesn’t need to access each system to rotate the keys. It just needs to sign a new token with a short expiry date.
The system reading the token can verify its integrity based on the signature.
Now the vault obviously must have a master key to do the signature. It’s a very powerful privilege, that can impersonate, yet not quite as privileged as being sysadmin to all systems.
The main advantage of this is that tokens that the users use can quickly be revoked. They always need to go back to the vault to get new tokens, here you can add more powerful protections and logs, always MFA.
The system reading the token can verify its integrity based on the signature.
Now the vault obviously must have a master key to do the signature. It’s a very powerful privilege, that can impersonate, yet not quite as privileged as being sysadmin to all systems.
The main advantage of this is that tokens that the users use can quickly be revoked. They always need to go back to the vault to get new tokens, here you can add more powerful protections and logs, always MFA.