Possile to adjust TTL for tokens received from auth?
353 views
Skip to first unread message
Chris
Mar 1, 2016, 4:53:17 PM3/1/16
to Vault
For example, logging in with LDAP credentials, I get a token back that has a TTL of 30 days. Is it possible to change the default to be 1 day instead? I'm thinking this is tied to the "system default" TTL, which would mean lowering that would lower it for everything, is that correct?
Thanks!
Thanks!
Jeff Mitchell
Mar 1, 2016, 4:58:37 PM3/1/16
to vault...@googlegroups.com
Hi Chris,
See the information about tuning mounts at
https://www.vaultproject.io/docs/http/sys-mounts.html -- you can set a
default/max TTL on just that mount.
Some backends support configuring this directly in the backend, as
well, but I don't think LDAP has this coded in. A workaround would be
to separate out different mounts if you want different logins (e.g. in
different OUs) to have different default/max TTLs.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/29a6f9ed-0264-4162-8ee2-96c20d064ca8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
See the information about tuning mounts at
https://www.vaultproject.io/docs/http/sys-mounts.html -- you can set a
default/max TTL on just that mount.
Some backends support configuring this directly in the backend, as
well, but I don't think LDAP has this coded in. A workaround would be
to separate out different mounts if you want different logins (e.g. in
different OUs) to have different default/max TTLs.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/29a6f9ed-0264-4162-8ee2-96c20d064ca8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Chris
Mar 2, 2016, 7:38:47 PM3/2/16
to Vault
Hi Jeff,
Thank you for your reply. I'm not sure I understand. If I wanted to adjust the TTL of the client_token returned from an app-id auth, would I still do that from tuning one of the mounts? Would I tune the sys/ mount? My output looks like this:
Thanks!
Thank you for your reply. I'm not sure I understand. If I wanted to adjust the TTL of the client_token returned from an app-id auth, would I still do that from tuning one of the mounts? Would I tune the sys/ mount? My output looks like this:
$ vault mounts
Path Type Default TTL Max TTL Description
cubbyhole/ cubbyhole n/a n/a per-token private secret storage
pki/ pki system 315360000
secret/ generic system system generic secret storage
sys/ system n/a n/a system endpoints used for control, policy and debugging
Thanks!
Jeff Mitchell
Mar 2, 2016, 7:49:29 PM3/2/16
to vault...@googlegroups.com
Hi,
The app-id backend uses default/max values set on the mount. So that
will be the system default unless it's set to some other value. You
can set this with the API, or with the 'vault' command -- check the
output of 'vault mount-tune -h'. If mounted at the normal place you'd
want to tune 'auth/app-id' as the path.
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/ed370e41-4bc9-46be-b578-a4b9047f8872%40googlegroups.com.
The app-id backend uses default/max values set on the mount. So that
will be the system default unless it's set to some other value. You
can set this with the API, or with the 'vault' command -- check the
output of 'vault mount-tune -h'. If mounted at the normal place you'd
want to tune 'auth/app-id' as the path.
Best,
Jeff
Chris
Mar 2, 2016, 8:20:56 PM3/2/16
to Vault
Oh ok, I thought that was for tuning a "secret" backend and didn't work with "auth" backends. I'll give that a try and let you know.
Thanks!
Thanks!
Jeff Mitchell
Mar 2, 2016, 8:31:00 PM3/2/16
to vault...@googlegroups.com
Hi Chris,
As of 0.5 that works on *any* mount. It even works on auth/token! Note
that the maximum is enforced strictly, but the default value (and a
lower maximum value) may be imposed by a specific backend, e.g. via
role parameters.
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/9d01bd9e-13e1-4cc3-be36-47bb3fdde538%40googlegroups.com.
As of 0.5 that works on *any* mount. It even works on auth/token! Note
that the maximum is enforced strictly, but the default value (and a
lower maximum value) may be imposed by a specific backend, e.g. via
role parameters.
Best,
Jeff
Chris
Mar 3, 2016, 4:40:55 PM3/3/16
to Vault
Ah ok, cool, I'll give that a try.
As always, thanks for the help Jeff!
As always, thanks for the help Jeff!
Reply all
Reply to author
Forward
0 new messages