How to find a list of tokens provisioned using a specific admin token
Will Pinney
Jeff Mitchell
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/741648d2-8740-465d-9819-1f2195627e41%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Randy Fay
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEDWsvZOt7KU-OHNLZh%2B5m76%3D0EPtYDgYvyUL0iwiTEzQ%40mail.gmail.com.
Will Pinney
Randy, Thank you for the info. I tried the master branch version of vault_token_lister-master. I got the following error:
$ vault_token_lister-master -policy pepmgr_policy -rootToken xxxxx -targetVaultAddr https://xxxx:8200
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x4013f1]
goroutine 1 [running]:
panic(0x63ace0, 0xc4200120b0)
/usr/lib/go/src/runtime/panic.go:500 +0x1a1
main.main()
/home/dood/git/src/vault_token_lister-master/vault_token_lister.go:35 +0x3f1
The vault_token_lister tool (https://github.com/drud/vault_token_lister) is currently set up to give you a list of tokens based on policy (or all tokens), but could easily be adapted for your purpose, Will.
On Fri, Mar 3, 2017 at 10:59 AM, Jeff Mitchell <je...@hashicorp.com> wrote:
Hi Will,The only current way to do something like this is to iterate via a list operation on the auth/token/accessors function. You can then do a lookup on each accessor and check the expiration date, then you can use the revoke-accessor endpoint to revoke any you like.Best,Jeff
On Fri, Mar 3, 2017 at 12:26 PM, Will Pinney <willow.p...@gmail.com> wrote:
All,It looks like there is a lot of tokens being left with the expiration date 32 days away. I would like to find out all these tokens and manually delete them.How do I find a list of tokens provisioned using a specific admin token? I can not find such a command.Thanks.Will
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/741648d2-8740-465d-9819-1f2195627e41%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEDWsvZOt7KU-OHNLZh%2B5m76%3D0EPtYDgYvyUL0iwiTEzQ%40mail.gmail.com.
Will Pinney
All,
I am getting 500 "Internal Server Error" here trying to do a list on /auth/token/accessors. It also took about 12 minutes to finish. Any work around?
~$ curl -vv -k -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://10.135.31.1:8200/v1/auth/token/accessors?list=true
or
$ time curl -vv -k -X LIST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https://10.135.31.1:8200/v1/auth/token/accessors
* Hostname was NOT found in DNS cache
* Trying 10.135.31.1...
* Connected to 10.135.31.1 (10.135.31.1) port 8200 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
> LIST /v1/auth/token/accessors HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 10.135.31.1:8200
> Accept: */*
> X-Vault-Token: ROOT_TOKEN
> Content-Type: application/json
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json
< Date: Mon, 06 Mar 2017 20:39:44 GMT
< Content-Length: 30
<
{"errors":["internal error"]}
* Connection #0 to host 10.135.31.1 left intact
real 12m44.150s
user 0m0.020s
sys 0m0.016s
Jeff Mitchell
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4b535fd8-14c7-4d59-8bfc-4e7088ecbc90%40googlegroups.com.
Will Pinney
2017/03/07 11:33:36.596848 [ERR] audit: backend failed to log response backend=syslog/ error=write unixgram @->/dev/log: i/o timeout
2017/03/07 11:33:36.596904 [ERR] core: failed to audit response request_path=auth/token/accessors error=no audit backend succeeded in logging the response
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Jeff Mitchell
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4b4defca-67f2-4ef1-8dca-9afb92fb7a34%40googlegroups.com.
Will Pinney
$ vault token-lookup -accessor 7fd0b90c-1704-f684-d1dd-4823d9da9f2a
error looking up token: Error making API request.
URL: POST https://127.0.0.1:8200/v1/auth/token/lookup-accessor/7fd0b90c-1704-f684-d1dd-4823d9da9f2a
Code: 403. Errors:
* 1 error(s) occurred:
* permission denied
Where "7fd0b90c-1704-f684-d1dd-4823d9da9f2a" is from the "keys" section of json output of :
curl -vv -k -X LIST -H "X-Vault-Token: $VAULT_TOKEN" -H "Content-Type: application/json" https:/ip.addr.here.1:8200/v1/auth/token/accessors