Listing/Revoking all root tokens
1,141 views
Skip to first unread message
Randy Fay
Dec 22, 2016, 7:00:13 PM12/22/16
to Vault
I'm going to go with the suggestion in the docs (under "Root Tokens") and stop using root tokens (and create them if needed using vault generate-root.)
So... is there any way to list accessors for tokens of a particular type, for example accessors for root tokens?
It's not hard to use /v1/auth/token/accessors?list=true to get accessors to all tokens, but that can be a big list, and I'm not interested in revoking all of them.
I can also revoke my favorite root token (probably with /v1/auth/token/revoke-self) and hope that the few others I created are descendants of it, but that is not a very authoritative technique.
I can also write code that gets the accessors and then walks through all of them and hit /v1/auth/token/lookup-accessor looking for "policies": [ "root" ], but I'm lazy!
Thanks for suggestions!
-Randy
Jeff Mitchell
Dec 28, 2016, 12:03:20 PM12/28/16
to vault...@googlegroups.com
Hi Randy,
Unfortunately, the only way to do what you want is to stop being lazy :-D
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/b93e0099-b7bc-406c-81d4-b1b91c85379c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Unfortunately, the only way to do what you want is to stop being lazy :-D
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/b93e0099-b7bc-406c-81d4-b1b91c85379c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Randy Fay
Jan 4, 2017, 1:37:20 PM1/4/17
to Vault
FYI I wrote a little tool to explore token accessors by policy (defaulting to root policy)
We're changing our approach to root tokens - we'll use this to revoke all root tokens and then use vault generate-root if and when we need a root token (and revoke it thereafter). Simplified instructions for vault generate-root are pending in a PR at https://github.com/hashicorp/vault/pull/2217
Thanks,
-Randy
Reply all
Reply to author
Forward
0 new messages