Token with an unlimited lifetime
2,793 views
Skip to first unread message
Alessandro Scuderetti
May 16, 2017, 10:11:49 AM5/16/17
to Vault
Hi,
my setup:
- Vault: 0.7.0
- Storage: Consul
- Auth Backend: Token (default)
- Secret Backend: Generic (default)
I want to create a Token with an unlimited lifetime.
Documentation say that Periodic Token:
- It is currently the only way for a token in Vault to have an unlimited lifetime
- Periodic tokens can be created in a few ways:
- By having sudo capability or a root token with the auth/token/create endpoint
- By using token store roles
- By using an authentication backend that supports issuing these, such as AppRole
I'm using the first way:
> curl -H 'X-Vault-Token: $root_token' -H 'Content-Type: application/json' -X POST -d '{"policies":["mypolicy"], "period":"0"}' http://127.0.0.1:8200/v1/auth/token/create
{
"request_id": "9eb95433-5980-2b1e-77cb-d1af3b3b1e82",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": <client_token>,
"accessor": "<accessor_value>",
"policies": [
"default",
"release"
],
"metadata": null,
"lease_duration": 2764800,
"renewable": true
}
}
and this is the properties of accessor:
curl -H 'X-Vault-Token: $root_token' -H 'Content-Type: application/json' -X POST -d '{"accessor":"<accessor_value>"}' http://127.0.0.1:8200/v1/auth/token/lookup-accessor
{
"request_id": "607f8b7f-e63f-0a1e-ff57-a7d53a47e2c6",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"accessor": "<accessor>",
"creation_time": 1493034829,
"creation_ttl": 2764800,
"display_name": "token",
"explicit_max_ttl": 0,
"id": "",
"meta": null,
"num_uses": 0,
"orphan": false,
"path": "auth/token/create",
"policies": [
"default",
"mypolicy"
],
"renewable": true,
"ttl": 2764506
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Questions:
- Is "period":"0" the correct value to create a token with an unlimited lifetime?
- Why "lease_duration": 0" and "lease_duration": 2764800 in the response of "auth/token/create" ?
- Why "ttl": 2764506 in the response of "auth/token/lookup-accessor" ?
Ps. i got the same result also with second way to create a periodic token "using token store roles".
Thank you,
Alessandro
Vishal Nayak
May 16, 2017, 10:36:21 AM5/16/17
to vault...@googlegroups.com
Hi Alessandro,
> Is "period":"0" the correct value to create a token with an unlimited lifetime?
No. Periodic token should have TTL value other than "0". The way to
ensure unlimited lifetime is to keep on renewing the periodic token
before it hits its TTL. The maximum TTL which is applicable to regular
tokens are not applicable to periodic tokens. "explicit_max_ttl" is an
exception though.
> Why "lease_duration": 0" and "lease_duration": 2764800 in the response of "auth/token/create" ?
The value of interest in that response is the auth block. The outer
"lease_duration" is for something else. Since the token had a period
of 0, the created token is NOT a periodic token and it has the default
TTL of 32 days (2764800 second).
> Why "ttl": 2764506 in the response of "auth/token/lookup-accessor" ?
Based on the explanation above it is the TTL of the regular token
created. The token has used up a few seconds off of the 32 days.
Changing the "period" to a shorter value, say "10m", and having it
renewed every 10m is the way to use it.
Hope this helps!
Regards,
Vishal
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/452f00f6-1cb0-4514-9a10-ed0f6bbbe374%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
> Is "period":"0" the correct value to create a token with an unlimited lifetime?
ensure unlimited lifetime is to keep on renewing the periodic token
before it hits its TTL. The maximum TTL which is applicable to regular
tokens are not applicable to periodic tokens. "explicit_max_ttl" is an
exception though.
> Why "lease_duration": 0" and "lease_duration": 2764800 in the response of "auth/token/create" ?
"lease_duration" is for something else. Since the token had a period
of 0, the created token is NOT a periodic token and it has the default
TTL of 32 days (2764800 second).
> Why "ttl": 2764506 in the response of "auth/token/lookup-accessor" ?
created. The token has used up a few seconds off of the 32 days.
Changing the "period" to a shorter value, say "10m", and having it
renewed every 10m is the way to use it.
Hope this helps!
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/452f00f6-1cb0-4514-9a10-ed0f6bbbe374%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
Alessandro Scuderetti
May 16, 2017, 11:03:28 AM5/16/17
to Vault
Thank you Vishal, very useful answer.
But, I need a token with an unlimited lifetime and without renewing process (like "root_token"), is it possible? what's the way?
Jeff Mitchell
May 16, 2017, 11:17:59 AM5/16/17
to Vault
You can make the period be 999 years if you like (and really want)...
Best,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/04b6bda1-23ec-49c0-922a-8649d47ccc66%40googlegroups.com.
Alessandro Scuderetti
May 16, 2017, 11:46:01 AM5/16/17
to Vault
So renew it's mandatory by design, ok.
We are in the first step of Vault's installation. We use it in release process: Jenkins call Vault to read secret.
Jenkis is in a trusted host and the Jenkins Ops Admin is also the Vault Ops Admin, so in this context, and for our first step, could be acceptable have a token with unlimited lifetime and no renew...if you have suggestions you are welcome.
Thank you.
Best,
Alessandro
Randy Fay
May 17, 2017, 11:47:52 AM5/17/17
to vault...@googlegroups.com
We have the same problem with a vault monitoring token that needs to have unlimited life and has very limited privileges. We have a jenkins job that just hits vault daily to renew the token:
curl -s --fail -X POST -H 'X-Vault-Token: monitoringxxxxxtoken' https://vault.drud.com:8200/v1/auth/token/renew-self
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/eca1e8ad-f40f-4b35-993e-7b7a8f87ec2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
May 22, 2017, 2:07:08 PM5/22/17
to Vault
Alessandro,
If you can renew the token periodically a periodic token gives you
unlimited lifetime. If you can't, making a token with a TTL of
99999999 years gives you effectively unlimited lifetime. It's not
usually a good idea, but it's possible.
Best,
Jeff
If you can renew the token periodically a periodic token gives you
unlimited lifetime. If you can't, making a token with a TTL of
99999999 years gives you effectively unlimited lifetime. It's not
usually a good idea, but it's possible.
Best,
Jeff
>> https://groups.google.com/d/msgid/vault-tool/eca1e8ad-f40f-4b35-993e-7b7a8f87ec2b%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Randy Fay
> ra...@randyfay.com
> +1 970.462.7450
>
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Randy Fay
> ra...@randyfay.com
> +1 970.462.7450
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/CAGxQj1Ec2bL2StXCbS76a1K86%2BStRHxjNXhO-F13EXGkTfBDiQ%40mail.gmail.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages