Large number of leaseids - slow vault startup

[Julian Gamble]

Hi Everyone, 

My version of vault (backed by consul) is taking a long duration to start up (30 mins). 

I see a large number of keys under here:

http://consul.domain.com/ui/#/my-app/kv/vault/sys/expire/id/auth/app-id/login/

http://consul.domain.com/ui/#/my-app/kv/vault/sys/token/id

Is there a standard way to encourage vault to clean these out? Should I clean them out maually?

I'm running vault 0.6.0

Cheers

Julian

[Jeff Mitchell]

Hi Julian,

It depends -- if they're live leases, you'll need to revoke them; if not and they're still sticking around they may be hitting some bugs that have since been fixed. As a related note, you really should upgrade to at least 0.6.4 and ideally 0.7.0 as there have been security fixes related to token handling.

Usually if a large number of tokens are being generated it's because processes are logging in to get new tokens constantly instead of re-using tokens they have; or, the token duration is much much longer than the expected user lifetime. You may want to take a look at how Vault is being used to see if you can identify why you have so many tokens from app-id and prevent as many being generated in the future.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/280be398-dd9c-48d9-b3a5-5a219964c46c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.