Cannot renew an orphan token

[Vinay Madyalkar]

I am creating an orphan token using the REST API:

http://localhost:8200/v1/auth/token/create-orphan

{

   "ttl":"720h",

   "num_uses": 0,

   "policies": ["test_policy"]

}

Token gets created, and lookup on the created token yields the following result:

{

"lease_id":"",

"renewable":false,

"lease_duration":0,

"data": {

"accessor":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

"creation_time":1459952118,

"creation_ttl":2592000,

"display_name":"token",

"id":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

"meta":null,

"num_uses":0,

"orphan":true,

"path":"auth/token/create",

"policies":["default","test_policy"],

"role":"",

"ttl":0

},

"warnings":null,

"auth":null

}

I am pretty sure that the lease on the token has not expired since I has set the ttl to "720h". 

Why is it that the ttl on lookup of token shows "0"??

Next, when I try to renew this token, I see this error message :"lease not found or lease is not renewable".

Why am I not able to renew this orphan token??

I am using v0.5.2 version of Vault

[Jeff Mitchell]

Hi Vinay,

Thanks for reporting this. This is a display bug -- the TTL isn't
zero, but the lookup function is using the wrong path when going
through the create-orphan endpoint. Sorry about that! I've fixed it in
https://github.com/hashicorp/vault/pull/1306

As for renewal, my guess is you are not using the 'vault token-renew'
function (or the API equivalent at auth/token/renew or
auth/token/renew-self). Token don't have leases like secrets, so
renewal goes through the token store.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/fd8f132d-07e1-4dc4-afa2-04f6bf759352%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Sigmund Augdal]

Hi,

I have the same, or a very similar issue when using roles. My role has orphan=true and period=168h. My hope was to put such tokens on my servers and renew them as long as the server was active and have them expire if a server were down for some period of time. However renewal does not work

Example output:

$ vault token-lookup f0446e6b-1e86-46f3-9719-2ae8608b00f7

Key           Value

accessor     7a29ba65-5431-4676-a7cc-51f3f60a19b4

creation_time 1.460621113e+09

creation_ttl 604800

display_name my_token

id           f0446e6b-1e86-46f3-9719-2ae8608b00f7

meta         <nil>

num_uses     0

orphan       true

path         auth/token/create/dataporten/00001

policies     [dataporten-cassandra-node default]

role         dataporten

ttl           0

$ vault token-renew f0446e6b-1e86-46f3-9719-2ae8608b00f7

Error renewing token: Error making API request.

URL: PUT https://vault.example.com:8200/v1/auth/token/renew/f0446e6b-1e86-46f3-9719-2ae8608b00f7

Code: 500. Errors:

* lease not found or lease is not renewable

So just like "Vinay Madyalkar" I get TTL 0 in the output, and just like him my renewal fails. I'm also using 0.5.2

Best regards

Sigmund Augdal

[Jeff Mitchell]

Sigmund,

The TTL showing 0 is purely a display bug.

Vinay did not mention using a periodic token, and I could not
replicate his issue. I'll try it again using a periodic token and
orphan.

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/e8ba1383-c6bf-46d5-a994-7fccff9fbeec%40googlegroups.com.

[Jeff Mitchell]

Hi Sigmund,

I'm afraid I'm going to need some steps from your end that will
reproduce this bug; it's working for me:

$ vault write auth/token/roles/test orphan=true period=20s
Success! Data written to: auth/token/roles/test

$ vault write -f auth/token/create/test
Key Value
token 0ab53079-5ef3-d000-249b-a2821732cc62
token_accessor ec79e6ab-b88d-3b8e-b7e8-be8f2de8030b
token_duration 20
token_renewable true
token_policies [default]

$ vault token-renew
Key Value
token 0ab53079-5ef3-d000-249b-a2821732cc62
token_accessor ec79e6ab-b88d-3b8e-b7e8-be8f2de8030b
token_duration 20
token_renewable true
token_policies [default]

$ export VAULT_TOKEN=0ab53079-5ef3-d000-249b-a2821732cc62

$ vault token-lookup
Key Value
accessor ec79e6ab-b88d-3b8e-b7e8-be8f2de8030b
creation_time 1.46062821e+09
creation_ttl 20
display_name token
id 0ab53079-5ef3-d000-249b-a2821732cc62
last_renewal_time 1.460628224e+09

meta <nil>
num_uses 0
orphan true

path auth/token/create/test
policies [default]
role test
ttl 14

$ vault token-renew
Key Value
token 0ab53079-5ef3-d000-249b-a2821732cc62
token_accessor ec79e6ab-b88d-3b8e-b7e8-be8f2de8030b
token_duration 20
token_renewable true
token_policies [default]

Thanks,
Jeff

[Sigmund Augdal]

Here is a revised test case that shows the issue with version 0.5.2. The issue seems to be related to path_suffix:

sigmunda@dlsiau-13:~$ vault read auth/token/roles/test

Key             Value

allowed_policies []

name             test

orphan           true

path_suffix     suf1

period           2e+10

sigmunda@dlsiau-13:~$ vault write auth/token/roles/test orphan=true period=20s path_suffix=suffix

Success! Data written to: auth/token/roles/test

sigmunda@dlsiau-13:~$ vault write -f auth/token/create/test

Key             Value

token           788ff2b2-8f75-1f6c-2f78-3a1218f1edc3

token_accessor 8c490714-d0cb-9bbc-ae8c-a86164438adb

token_duration 20

token_renewable true

token_policies [default]

sigmunda@dlsiau-13:~$ export VAULT_TOKEN=788ff2b2-8f75-1f6c-2f78-3a1218f1edc3

sigmunda@dlsiau-13:~$ vault token-lookup

Key           Value

accessor     8c490714-d0cb-9bbc-ae8c-a86164438adb

creation_time 1.460631104e+09

creation_ttl 20

display_name token

id           788ff2b2-8f75-1f6c-2f78-3a1218f1edc3

meta         <nil>

num_uses     0

orphan       true

path         auth/token/create/test/suffix

policies     [default]

role         test

ttl           0

sigmunda@dlsiau-13:~$ vault token-renew

Error renewing token: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/token/renew-self

Code: 500. Errors:

* lease not found or lease is not renewable

sigmunda@dlsiau-13:~$ vault token-lookup

error looking up token: Error making API request.

URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self

Code: 403. Errors:

* permission denied

As you can see ttl is shown as 0 when looking up the token, even tough it isn't expired. This isn't the case for tokens in your test case where path_suffix wasn't set. 

A side note here: I did manage to have vault token-lookup output ttl 0 once, before it started saying permission denied, so I think the ttl internally is stored with higher percission than what is shown by vault token-lookup, maybe it would be an idea to use ceil rather than floor when rounding what is displayed?

Best regards

Sigmund Augdal

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/VT-0yUcOfsM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GGLDxJP7wxJPopGORzGA0LVkqHYuahdP-b99JTM%2BDkHGg%40mail.gmail.com.

[Jeff Mitchell]

Hi Sigmund,

Thanks -- that's the information I needed. It's definitely related to
path_suffix and not orphan.

I'll post back when I have more info.

Thanks,
Jeff

On Thu, Apr 14, 2016 at 6:57 AM, Sigmund Augdal

> https://groups.google.com/d/msgid/vault-tool/CAMk3jWb-q%3D6TKhYa%3DiTkYH4Sn5YOg2BGwwabViUfArb%2BFJKtNA%40mail.gmail.com.

[Jeff Mitchell]

This has been fixed in https://github.com/hashicorp/vault/pull/1331

Best,
Jeff

[Nimi Wariboko]

I'm having a very similar issue where I cannot renew my tokens. I listed out my exact steps here : https://gist.github.com/nemothekid/33561d7ad931ee7231aafdfa58be4abd

[Jeff Mitchell]

Hi Nimi,

This thread was regarding a bug in token roles, which you are not
using. I cannot reproduce your problem:

$ curl -X POST -H "X-Vault-Token: $(cat ~/.vault-token)" -d
'{"ttl":"1h", "policies":["default"], "num_uses":0}'
"${VAULT_ADDR}/v1/auth/token/create-orphan"
{"lease_id":"","renewable":false,"lease_duration":0,"data":null,"warnings":null,"auth":{"client_token":"46dbf4e9-edf9-cde9-adfc-a0f7e0e083aa","accessor":"72264655-bbd3-782d-14a7-b34f520199af","policies":["default"],"metadata":null,"lease_duration":3600,"renewable":true}}

$ VAULT_TOKEN=46dbf4e9-edf9-cde9-adfc-a0f7e0e083aa vault token-renew
Key Value
token 46dbf4e9-edf9-cde9-adfc-a0f7e0e083aa
token_accessor 72264655-bbd3-782d-14a7-b34f520199af
token_duration 2591977
token_renewable true
token_policies [default]

If you need more assistance, please open up a GitHub issue and be sure
to include the logs from Vault.

Thanks,
Jeff

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f023d709-a2d2-4fd4-a346-8617c5fb15d6%40googlegroups.com.