Max TTL for secret lease and auth tokens
488 views
Skip to first unread message
PJ
Dec 19, 2016, 3:33:02 PM12/19/16
to Vault
I have a situation where I am running docker containers which fetch secrets from vault during start up of a container. So in this case, even if the max TTL of the auth token is reached, it doesn't affect adversely as I will have all the secrets available in memory of container locally.
However, I am wondering if the secrets also have a max TTL just like tokens? In other words, will all the secrets expire after a fixed period of time? That is bad for me, since a container that starts up after all secrets have expired will have no secrets to fetch in vault.
Jeff Mitchell
Dec 19, 2016, 3:40:05 PM12/19/16
to vault...@googlegroups.com
Hi PJ,
It depends on the backend. If the response that comes back includes a
non-empty lease_id in the JSON, it's a secret where Vault is managing
the lifetime. As of now, only the KV (generic), transit, and PKI
backends do not return leases -- the rest of the secrets will be
revoked when the TTL runs out.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/d013501a-e0b5-4319-9b3c-761a492ca380%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
It depends on the backend. If the response that comes back includes a
non-empty lease_id in the JSON, it's a secret where Vault is managing
the lifetime. As of now, only the KV (generic), transit, and PKI
backends do not return leases -- the rest of the secrets will be
revoked when the TTL runs out.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/d013501a-e0b5-4319-9b3c-761a492ca380%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
PJ
Dec 20, 2016, 7:51:48 PM12/20/16
to Vault
Thank you for the insights Jeff.
So in case of consul secret backend, does consul token have a max TTL? Is it derived from mount's max TTL?
Jeff Mitchell
Dec 28, 2016, 11:09:12 AM12/28/16
to vault...@googlegroups.com
Hi PJ,
The lease for the Consul token will have a max TTL after which it will
be revoked (although if a regular TTL expires without being renewed
this can happen earlier). There's a detailed write-up at
https://www.vaultproject.io/docs/concepts/tokens.html if you like!
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/b49da9d7-bbef-42fe-aaf3-a7af61295e88%40googlegroups.com.
The lease for the Consul token will have a max TTL after which it will
be revoked (although if a regular TTL expires without being renewed
this can happen earlier). There's a detailed write-up at
https://www.vaultproject.io/docs/concepts/tokens.html if you like!
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages