# Allow them to extend the life of a granted tokenpath "sys/renew/awsnonprod/creds/qm_xfer_svc/*" {capabilities = [ "update" ]}EOH
$ vault policies app_qmattach_dev# Allow them to create AWS access keys in the non-prod accountpath "awsnonprod/creds/qm_xfer_svc" {capabilities = [ "read" ]}# Allow them to extend the life of a granted tokenpath "sys/renew/*" {capabilities = [ "create","read","update","delete","list" ]}
(python3.6) steved@steve-mint ~/.dii/creds/prod1 $ vault auth -method=ldap username=sd0071 mount=ourdomainPassword (will be hidden):Successfully authenticated! You are now logged in.The token below is already saved in the session. You do notneed to "vault auth" again with the token.token: 90bdf8da-xxxx-yyyy-zzzz-89101fb7ed56token_duration: 2764799token_policies: [adm_terraformer app_hermes_dev app_qmattach_dev app_qmattach_lambda_dev default demo_human_policy ent_cadet_developers](python3.6) steved@steve-mint ~/.dii/creds/prod1 $ vault read awsnonprod/creds/qm_xfer_svcKey Value--- -----lease_id awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bblease_duration 24h0m0slease_renewable trueaccess_key AKIAIK6Y....JWAsecret_key REMOVEDsecurity_token <nil>(python3.6) steved@steve-mint ~/.dii/creds/prod1 $ vault renew awsnonprod/creds/qm_xfer_svc/e6be9f1f-c957-d976-7595-5fc7d6fb18bbRenew error: Error making API request.Code: 403. Errors:* permission denied
func (c *Sys) Renew(id string, increment int) (*Secret, error) {r := c.c.NewRequest("PUT", "/v1/sys/renew")body := map[string]interface{}{"increment": increment,"lease_id": id,}if err := r.SetJSONBody(body); err != nil {return nil, err}
$ vault read awsnonprod/creds/qm_xfer_svcKey Value--- -----
lease_id awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3
lease_duration 24h0m0slease_renewable trueaccess_key AKIAI
secret_key REMOVEDsecurity_token <nil>$ vault renew awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3
Renew error: Error making API request.
Code: 403. Errors:* permission denied
$ curl -L -k -X PUT --header "X-Vault-Token: 90bdf8da-6fe2-9a1e-163d-89101fb7ed56" https://xxx.com:8200/v1/sys/renew/awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3{"request_id":"81cc9f8d-34ac-c4b4-8896-b89735764612","lease_id":"awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3","renewable":true,"lease_duration":86400,"data":null,"wrap_info":null,"warnings":null,"auth":null}$vault write -f sys/renew/awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3Key Value--- -----lease_id awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3lease_duration 24h0m0slease_renewable true
$ vault write sys/renew/awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3 increment=10Key Value--- -----lease_id awsnonprod/creds/qm_xfer_svc/a2fa5de6-5d32-96d3-d9ed-2d44690818d3lease_duration 10slease_renewable true
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/debbdffb-0d03-49e9-91b8-3c2f7aedac5b%40googlegroups.com.
This email message, and any documents which may accompany it, contain information which is intended for use only by the intended recipient(s), and may contain information that is privileged and/or confidential. If you are not the intended recipient of this message you are hereby notified that any review, disclosure, dissemination, distribution, copy or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender by reply email, delete the email from your computer and destroy all copies of the communication and any attachments.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
# Allow them to extend the life of a granted tokenpath "sys/renew/awsnonprod/creds/qm_xfer_svc/*" {capabilities = [ "update" ]}EOH
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAD8G8NOgJ6jJROrCRJXq%3DU269JQeJ0o-mbUyJoHqR4u%2BbRxyjg%40mail.gmail.com.