recommended setup for token auto-renewal

[El Capitan]

I have X applications, each with its own unique Vault token and custom authorization policy.  Every Y days, I want to re-new tokens for my X applications, expiring the old tokens.  What Vault workflow do you recommend to accomplish this?  Is this considered rolling in Vault or are you using "rolling" to refer to an undetermined future?

X0:  new token

X0 + Y:  new token, expire old token

Since I am renewing at the moment that a new token replaced the old, I didn't want to TTL the tokens at X0 + Y but rather set the TTL further out so to allow the renewal process to initiate first.

[Craig Sawyer]

I'm not sure I completely understand, but you can call "vault token-create" in the CLI, to create a new token.  Alternatively you can allow token renewal, so you keep the same token, and just change the expire on it, see: "vault token-renew" in the CLI.  There are also API calls to do these functions(see the docs).  As to how to do it, you can let cron do it, that's sort of it's purpose.  If your applications are VAULT aware (i.e. in-house apps or something), then the apps themselves usually handle token generation/renewal as part of their normal runtime.

By default expire-able things in vault last 32 days, so you could at day 1(or day 30)(i.e. in /etc/cron.monthly or similar) just have it run a vault token-create (or token-renew) command.  If the command fails for some reason(and you notice) you would then have ~ 2 days to fix it, or manually create/renew a token before the old one vanished.

Vault doesn't do any of this for you, you have to do it yourself.

Hope this helps,
-Craig