Vault List Generated Tokens
12,670 views
Skip to first unread message
narayan gowraj
Feb 22, 2016, 7:53:32 PM2/22/16
to Vault
Is there a feature where vault can list all the tokens that has been created ? I am currently using vault list secret/ to display all the secrets. I tried to use vault list auth/token to display all the tokens but didn't work. Is there a way to get the list of created tokens ?
I created a number of tokens and I would like to revoke everything one by one or I would like to revoke all tokens except the root token.
Jeff Mitchell
Feb 22, 2016, 7:57:34 PM2/22/16
to vault...@googlegroups.com
Hi Narayan,
There is no feature to do this, although if you have knowledge of your
physical backend you could do this using the 'sys/raw' endpoint and
paths gleaned from your physical backend.
This is on purpose, as listing valid tokens is generally a serious
security concern.
You can, however, bulk revoke tokens using the `sys/revoke-prefix'
endpoint and the various paths of your authentication backends (e.g.
auth/github, auth/token, etc.) This would also remove your root token,
but as of 0.5 you can generate new ones using a quorum of unseal keys.
--Jeff
On Mon, Feb 22, 2016 at 7:53 PM, narayan gowraj <gow...@gmail.com> wrote:
> Is there a feature where vault can list all the tokens that has been created ? I am currently using vault list secret/ to display all the secrets. I tried to use vault list auth/token to display all the tokens but didn't work. Is there a way to get the list of created tokens ?
>
> I created a number of tokens and I would like to revoke everything one by one or I would like to revoke all tokens except the root token.
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/112569ec-b402-4ae6-b1d4-7fce4a399c10%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
There is no feature to do this, although if you have knowledge of your
physical backend you could do this using the 'sys/raw' endpoint and
paths gleaned from your physical backend.
This is on purpose, as listing valid tokens is generally a serious
security concern.
You can, however, bulk revoke tokens using the `sys/revoke-prefix'
endpoint and the various paths of your authentication backends (e.g.
auth/github, auth/token, etc.) This would also remove your root token,
but as of 0.5 you can generate new ones using a quorum of unseal keys.
--Jeff
On Mon, Feb 22, 2016 at 7:53 PM, narayan gowraj <gow...@gmail.com> wrote:
> Is there a feature where vault can list all the tokens that has been created ? I am currently using vault list secret/ to display all the secrets. I tried to use vault list auth/token to display all the tokens but didn't work. Is there a way to get the list of created tokens ?
>
> I created a number of tokens and I would like to revoke everything one by one or I would like to revoke all tokens except the root token.
>
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/112569ec-b402-4ae6-b1d4-7fce4a399c10%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
narayan gowraj
Feb 22, 2016, 8:14:22 PM2/22/16
to Vault
Got it.
Just curious, in VAULT 0.5 we can display the list of secrets so I was wondering if it makes sense to display a list of tokens only via CLI and not through API. A VAULT admin who has access to the VAULT server can see a list of secrets and execute vault read secret/x to read the actual secret value which is more or as sensitive as the token that protects the secret. Hence, displaying tokens only to the user who has access to the vault server makes sense to me. Just a thought. Thanks.
Jeff Mitchell
Feb 22, 2016, 11:49:32 PM2/22/16
to vault...@googlegroups.com
Hi Narayan,
The CLI is an API client, so you cannot only display a list of tokens
(or anything else) through the CLI and not the API. But the main
difference between the scenarios that you mentioned is that a Vault
token can do anything that its policies allow it to do. This can
include reading various secrets in the secret/ backend, but can also
include much more functionality. Giving a token access to list and/or
read a set of values in secret/ is a subset of what a token could
potentially be used for, so listing tokens would expose much, much
more surface in Vault for malicious use.
--Jeff
On Mon, Feb 22, 2016 at 8:14 PM, narayan gowraj <gow...@gmail.com> wrote:
> Got it.
>
> Just curious, in VAULT 0.5 we can display the list of secrets so I was wondering if it makes sense to display a list of tokens only via CLI and not through API. A VAULT admin who has access to the VAULT server can see a list of secrets and execute vault read secret/x to read the actual secret value which is more or as sensitive as the token that protects the secret. Hence, displaying tokens only to the user who has access to the vault server makes sense to me. Just a thought. Thanks.
>
>
The CLI is an API client, so you cannot only display a list of tokens
(or anything else) through the CLI and not the API. But the main
difference between the scenarios that you mentioned is that a Vault
token can do anything that its policies allow it to do. This can
include reading various secrets in the secret/ backend, but can also
include much more functionality. Giving a token access to list and/or
read a set of values in secret/ is a subset of what a token could
potentially be used for, so listing tokens would expose much, much
more surface in Vault for malicious use.
--Jeff
On Mon, Feb 22, 2016 at 8:14 PM, narayan gowraj <gow...@gmail.com> wrote:
> Got it.
>
> Just curious, in VAULT 0.5 we can display the list of secrets so I was wondering if it makes sense to display a list of tokens only via CLI and not through API. A VAULT admin who has access to the VAULT server can see a list of secrets and execute vault read secret/x to read the actual secret value which is more or as sensitive as the token that protects the secret. Hence, displaying tokens only to the user who has access to the vault server makes sense to me. Just a thought. Thanks.
>
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/88559bf3-1c3a-418c-8229-a4b33c7e5968%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
narayan gowraj
Feb 23, 2016, 6:28:17 PM2/23/16
to Vault
Yeah, thats right. Thanks.
roberto...@openslatedata.com
Apr 10, 2018, 5:09:59 PM4/10/18
to Vault
I just ran into this very need. While you can't get the token itself (as noted, it's a security feature), it is possible to delete all tokens via their "accessors", which are not as sensitive and are available.
First find your own accessor:
```
$ vault token-lookup
Key Value
--- -----
accessor cc9cf43c-afb1-bfe5-2288-8fdfbd06b489
[...]
```
Next, you can list all the accessors on the system:
```
vault list /auth/token/accessors
```
From that list, delete the ones you want, but take care not to revoke your own:
```
vault token-revoke -accessor <accessor>
```
Reply all
Reply to author
Forward
0 new messages