Troubleshooting a vault token
1,462 views
Skip to first unread message
Wesley Staples
Aug 11, 2017, 11:27:16 AM8/11/17
to Vault
I have a situation where my program on every request looks up a secret stored in vault. I can see in my programs log file that
that the last successful request occurred at 5:13PM. At 5:24PM (11 minutes later) requests started being rejected with:
When I attempted to use token-lookup the output was:
I checked my audit logs from vault. They only show the same pattern. The token was working then suddenly it was not.
how can I find out what happened to the token? why did it become invalid? I used token-create with the id flag and that seems to have fixed the token but I still need to know what went wrong.
that the last successful request occurred at 5:13PM. At 5:24PM (11 minutes later) requests started being rejected with:
The Vault server at `http://my_ip:8200' responded with a 403. (Vault::HTTPClientError)
Any additional information the server supplied is shown below:
* permission deniedWhen I attempted to use token-lookup the output was:
Error looking up token: Error making API request.
URL: GET http://<my_ip>:8200/v1/auth/token/lookup/<my_token>
Code: 403. Errors:
* bad tokenI checked my audit logs from vault. They only show the same pattern. The token was working then suddenly it was not.
how can I find out what happened to the token? why did it become invalid? I used token-create with the id flag and that seems to have fixed the token but I still need to know what went wrong.
Chris Hoffman
Aug 11, 2017, 11:44:09 AM8/11/17
to vault...@googlegroups.com
The likely scenario is that the token expired. All tokens created come with an associated lease and when that lease expires, the token goes away. You can check the remaining TTL by using the token lookup command that you used when checking the token.
You can also read more about token lifecycles on the Token Concepts page https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls.
Chris
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d9e32b99-258d-4350-81ff-fc87bf865604%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages