Root token generation using API

[primate]

Hi,

Using Vault 0.9.3, I'm following the API guide to generate a new root token: https://www.vaultproject.io/api/system/generate-root.html 

I'm using the OTP option. I get the encoded root token out but there doesn't seem to be an API route to pass the token and the OTP back in to decode the encoded root token like there is at the CLI - am I missing something obvious?

Also, do I need to follow up the root token generation by revoking the preceding one? The preceeding one appeared to still be valid in my test environment.

Cheers.

[Jeff Mitchell]

Hi there,

Generating an OTP and decoding it are helpers in the CLI, not part of the server API. If you're using Go you could use the same function that the CLI does via https://godoc.org/github.com/hashicorp/vault/helper/xor but otherwise it's a pretty simple XOR operation.

You can have as many root tokens as you like alive at a given time; they're normal, independent tokens. But we suggest that you don't keep any of them alive longer than you need.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b01e4cef-34c3-45a6-865f-5510deab2332%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Perry State]

There are two problems.  One is I'm using Ansible to drive my APIs and so far I've not found an XOR function but, that's secondary.

The bigger question is my OTP is 26 bytes but the string returned as the encoded_root_token is 35 bytes.  The XORBytes routine that you point to wants two strings of the same length.  So is one encoded differently from the other?

If I pass the encoded_root_token as input to Ubuntu's base64 -decode, the output is 26 but I'm not sure if that was a coincidence or not.  The base64 command isn't happy with the input and says "invalid input"

Any suggestions on how to do this?  I'm not clear why the OTP is even needed... really.  I mean, yea I guess its more secure briefly but eventually I need a final token that I can pass for any future API calls.

On Thursday, May 17, 2018 at 10:50:37 AM UTC-5, Jeff Mitchell wrote:

Hi there,

Generating an OTP and decoding it are helpers in the CLI, not part of the server API. If you're using Go you could use the same function that the CLI does via https://godoc.org/github.com/hashicorp/vault/helper/xor but otherwise it's a pretty simple XOR operation.

You can have as many root tokens as you like alive at a given time; they're normal, independent tokens. But we suggest that you don't keep any of them alive longer than you need.

Best,

Jeff

On Mon, May 14, 2018 at 3:51 AM primate <Richa...@sky.com> wrote:

Hi,

Using Vault 0.9.3, I'm following the API guide to generate a new root token: https://www.vaultproject.io/api/system/generate-root.html 

I'm using the OTP option. I get the encoded root token out but there doesn't seem to be an API route to pass the token and the OTP back in to decode the encoded root token like there is at the CLI - am I missing something obvious?

Also, do I need to follow up the root token generation by revoking the preceding one? The preceeding one appeared to still be valid in my test environment.

Cheers.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.