Determine time left on a Lease

494 views
Skip to first unread message

Steve Dillon

unread,
Jun 5, 2017, 1:05:26 PM6/5/17
to Vault
We create Expiring AWS credentials with default 24h TTL.
steved@steve-mint ~/.dii/creds/prod1 $ vault read awsnonprod/creds/qm_xfer_svc
Key             Value
---             -----
lease_id       awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bb
lease_duration 24h0m0s
lease_renewable true
access_key     AKIAIK6YGLGCQU3P5JWA
secret_key     REMOVED
security_token <nil>


I would like to be able to query the amount of time left on the lease.  There appears to be an API for this: /sys/leases/lookup   but I'm not finding a way to get this information from either the CLI client or the python SDK.  Am I missing an easy way to query the remaining time on a lease?

Jeff Mitchell

unread,
Jun 5, 2017, 1:10:04 PM6/5/17
to Vault
Hi Steve,

You can use 'vault read sys/leases/lookup.......' to get this information.

Best,
Jeff

This email message, and any documents which may accompany it, contain information which is intended for use only by the intended recipient(s), and may contain information that is privileged and/or confidential. If you are not the intended recipient of this message you are hereby notified that any review, disclosure, dissemination, distribution, copy or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender by reply email, delete the email from your computer and destroy all copies of the communication and any attachments.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/52c08d5d-db38-4477-8bd5-58a9c6614ce4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Steve Dillon

unread,
Jun 5, 2017, 1:23:52 PM6/5/17
to Vault
I'm stumped on the syntax though... 
[adm.dii.sd0071@ue1b-pjmpbx01 ~]$ vault read /sys/leases/lookup 
No value found at sys/leases/lookup
[adm.dii.sd0071@ue1b-pjmpbx01 ~]$ vault read /sys/leases/lookup awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bb
read expects one argument
Usage: vault read [options] path
[adm.dii.sd0071@ue1b-pjmpbx01 ~]$ vault read /sys/leases/lookup/awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bb
No value found at sys/leases/lookup/awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bb
[adm.dii.sd0071@ue1b-pjmpbx01 ~]$ vault read /sys/leases/lookup/e6be9f1f-c957-d976-7595-5fc7d6fb18bb
No value found at sys/leases/lookup/e6be9f1f-c957-d976-7595-5fc7d6fb18bb


On Monday, June 5, 2017 at 1:10:04 PM UTC-4, Jeff Mitchell wrote:
Hi Steve,

You can use 'vault read sys/leases/lookup.......' to get this information.

Best,
Jeff
On Mon, Jun 5, 2017 at 1:05 PM, Steve Dillon <steve....@dycominc.com> wrote:
We create Expiring AWS credentials with default 24h TTL.
steved@steve-mint ~/.dii/creds/prod1 $ vault read awsnonprod/creds/qm_xfer_svc
Key             Value
---             -----
lease_id       awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bb
lease_duration 24h0m0s
lease_renewable true
access_key     AKIAIK6YGLGCQU3P5JWA
secret_key     REMOVED
security_token <nil>


I would like to be able to query the amount of time left on the lease.  There appears to be an API for this: /sys/leases/lookup   but I'm not finding a way to get this information from either the CLI client or the python SDK.  Am I missing an easy way to query the remaining time on a lease?

This email message, and any documents which may accompany it, contain information which is intended for use only by the intended recipient(s), and may contain information that is privileged and/or confidential. If you are not the intended recipient of this message you are hereby notified that any review, disclosure, dissemination, distribution, copy or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender by reply email, delete the email from your computer and destroy all copies of the communication and any attachments.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

Jeff Mitchell

unread,
Jun 5, 2017, 1:39:48 PM6/5/17
to Vault
Hi Steve,

Check https://www.vaultproject.io/api/system/leases.html for details on the syntax.

Best,
Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7f61ed4c-7369-42d6-a5ea-ba4c5a4dd13d%40googlegroups.com.

Steve Dillon

unread,
Jun 5, 2017, 2:15:44 PM6/5/17
to Vault
I've been looking at that and trying to figure out how to send a "Payload" json request with a vault read.  The JSON says I should do a PUT with a JSON payload that includes the lease_id.  I've tried vault read and write in many different variations.  I guess I'll go poke through the vault CLI code.

Steve Dillon

unread,
Jun 5, 2017, 2:28:52 PM6/5/17
to Vault
Looking at the ChangeLog it looks like sys/leases/lookup had some changes in 0.7.1 released May 5, 2017. GH-2650.  We are on Vault 0.7 so I need to track down older docs or give up on this until our next upgrade.

Jeff Mitchell

unread,
Jun 5, 2017, 2:50:25 PM6/5/17
to Vault
Hi Steve,

sys/leases/lookup didn't have changes in 0.7.1, it didn't exist before then :-)

For PUT/POST API calls, use "vault write".

Best,
Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/75d2eba3-7e8d-46ef-86df-c30d913abeec%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages