Need documentation link for periodic tokens

[Niks]

Can someone please post the documentation link for periodic tokens? Looking for complete details like

1) What are periodic tokens?

2) How to create roles and tokens?

3) Which backend needs to be enabled?

Niks

[Francis Chuang]

There really isn't much about them in the documentation, so here's what I have found out:

When we talk about periodic tokens, they only apply to authentication tokens. They are the tokens you use to authenticate with vault to read, write secrets and do everything else: https://www.vaultproject.io/docs/auth/token.html

1. Normally, tokens have a ttl and max_ttl. ttl is how much "life" there is left in the token before it expires. You can renew the token to increase the lifespan. However, the max_ttl is how long this token is allowed to exist and after max_ttl is reached, it is no longer usable. For example, If you have ttl of 1 hour and max_ttl of 1 hour, you would not be able to renew it because the token can only exist for 1 hour. However, you can reduce the ttl by setting a lower ttl. If you have ttl of 30 minutes and max_ttl of 1 hour, you can increase the ttl up to 1 hour after the token creation time.

A period token has an unlimited max_ttl so to speak and a normal ttl. So, if you have a token with ttl of 30 minutes, as long as you renew it every 30 minutes, the token will exist forever.

2. From what I know, to use periodic tokens, you need to create a role. For example

vault write /auth/token/roles/myrole period="30m" allowed_policies="policy1,policy2".

vault write /auth/token/create/myrole

3. Periodic tokens are part of the token auth backend and are automatically enabled by default.

See https://www.vaultproject.io/docs/auth/token.html for more.

Hope that helps,

Francis

[Niks]

Thanks Francis. Very well explained.

With your help I am able to create a token with a role as below:

1) vault write /auth/token/roles/myrole1 allowed_policies="myReadPolicy"

2) vault token-create -role myrole1

3) C:\Users\njain>vault token-lookup 12e83550-afaa-30f0-784c-5c23b38e9097

Key             Value

accessor        16977dd4-800b-dba1-cce4-e29cf91b354f

creation_time   1.465474451e+09

creation_ttl    3.1536e+07

display_name    token

id              12e83550-afaa-30f0-784c-5c23b38e9097

meta            <nil>

num_uses        0

orphan          false

path            auth/token/create/myrole1

policies        [default myReadPolicy]

role            myrole1

ttl             3.1535971e+07

4) vault token-renew 12e83550-afaa-30f0-784c-5c23b38e9097 87600h

Key             Value

token           12e83550-afaa-30f0-784c-5c23b38e9097

token_accessor  16977dd4-800b-dba1-cce4-e29cf91b354f

token_duration  157679838

token_renewable true

token_policies  [default myReadPolicy]

my vault configuration is as below:

default_lease_ttl="8760h"

max_lease_ttl="43800h"

If you see above, renewal does not make the ttl equivalent to 87600h. It is making ttl only to max_lease_ttl (157680000 s), which means it is obeying the rule to limit max allowed ttl to max_lease_ttl setting.

How exactly is periodic token(with no expiration) created? Am I missing something fundamental?

Thanks.

Niks

[Francis Chuang]

You're missing the period option when creating your role.

Rather than vault write /auth/token/roles/myrole1 allowed_policies="myReadPolicy", try vault write /auth/token/roles/myrole1 allowed_policies="myReadPolicy" period="87600h"

I think the max_lease_ttl is not used for periodic tokens.

Cheers,

Francis

[Niks]

Many Thanks Francis. You got it absolutely right.

Following revised steps worked:

1) Create a role with period

vault write /auth/token/roles/myrole1 allowed_policies="mypolicy" period="87600h"

2) Create token with this role

>vault token-create -role myrole1

Key             Value

token           499ea722-2570-5e35-e4ad-944012de0a60

token_accessor  e78bef0b-89b7-f639-5189-49945e96dd76

token_duration  315360000

token_renewable true

token_policies  [default mypolicy]

This token overrides the max_lease_ttl="43800h" (157680000s)

Regards,

Niks

On Thursday, June 9, 2016 at 11:51:59 AM UTC+1, Niks wrote: