approle secret_id_ttl not working as advertised
789 views
Skip to first unread message
Ken McVicker
Sep 28, 2017, 3:23:27 PM9/28/17
to Vault
I set the secret_id_ttl for my approle to 6 months or
15724800 seconds. When I create my secret_id, I get a expiry date that is only 32 days away. I then set it to 2 years and I get the same 32 days.
Here are the setting for the role.
vault read auth/approle/role/demo-approle
Key Value
--- -----
bind_secret_id true
bound_cidr_list 10.0.0.0/8
period 0
policies [default demo-write-acl]
secret_id_num_uses 0
secret_id_ttl 63158400
token_max_ttl 86400
token_num_uses 0
token_ttl 21600
I generate a secret_id with a write command and get back the secret-id and the secret-id-accessor.
vault write -f auth/approle/role/demo-approle/secret-id
Key Value
--- -----
secret_id d722222f-322b-8610-3224-f1111111193a
secret_id_accessor e422225c-422c-0833-f229-f22222222141
I changed the digits above.
THen I use CURL to read the parameters and I get a data only 32 days away.
$ cat payload.json2
{
"secret_id_accessor": "e422225c-422c-0833-f229-f22222222141"
}
$cat cmd.sh2
curl \
--header "X-Vault-Token: 11111111-2222-3333-4444-555555555555" \
--request POST \
--data @payload.json2 \
https://myvault:8200/v1/auth/approle/role/demo-approle/secret-id-accessor/lookup
Response
$./cmd.sh2 | jq
{
"request_id": "d80fc7d8-3799-cfbf-4efe-52cfe96a882e",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2017-09-28T18:41:30.55330687Z",
"expiration_time": "2017-10-30T18:41:30.55330687Z",
"last_updated_time": "2017-09-28T18:41:30.55330687Z",
"metadata": {},
"secret_id_accessor": "e422225c-422c-0833-f229-f22222222141",
"secret_id_num_uses": 0,
"secret_id_ttl": 63158400
},
"wrap_info": null,
"warnings": [
"The field SecretIDNumUses is deprecated and will be removed in a future release; refer to secret_id_num_uses instead"
],
"auth": null
}
As you can see the creation and expiration times are only 32 days apart. Is there another parameter that is controlling the TTL that is set on the mount or elsewhere?
doing a read of sys/auth reveals
Key Value
--- -----
approle/ map[config:map[default_lease_ttl:0 max_lease_ttl:0] description: local:false type:approle]
Not sure where else to look or if the secret_id_ttl is just not working as desired.
I'll take a look at the code in a bit to see if I can figure it out.
Thanks,
Ken
Here are the setting for the role.
vault read auth/approle/role/demo-approle
Key Value
--- -----
bind_secret_id true
bound_cidr_list 10.0.0.0/8
period 0
policies [default demo-write-acl]
secret_id_num_uses 0
secret_id_ttl 63158400
token_max_ttl 86400
token_num_uses 0
token_ttl 21600
I generate a secret_id with a write command and get back the secret-id and the secret-id-accessor.
vault write -f auth/approle/role/demo-approle/secret-id
Key Value
--- -----
secret_id d722222f-322b-8610-3224-f1111111193a
secret_id_accessor e422225c-422c-0833-f229-f22222222141
I changed the digits above.
THen I use CURL to read the parameters and I get a data only 32 days away.
$ cat payload.json2
{
"secret_id_accessor": "e422225c-422c-0833-f229-f22222222141"
}
$cat cmd.sh2
curl \
--header "X-Vault-Token: 11111111-2222-3333-4444-555555555555" \
--request POST \
--data @payload.json2 \
https://myvault:8200/v1/auth/approle/role/demo-approle/secret-id-accessor/lookup
Response
$./cmd.sh2 | jq
{
"request_id": "d80fc7d8-3799-cfbf-4efe-52cfe96a882e",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2017-09-28T18:41:30.55330687Z",
"expiration_time": "2017-10-30T18:41:30.55330687Z",
"last_updated_time": "2017-09-28T18:41:30.55330687Z",
"metadata": {},
"secret_id_accessor": "e422225c-422c-0833-f229-f22222222141",
"secret_id_num_uses": 0,
"secret_id_ttl": 63158400
},
"wrap_info": null,
"warnings": [
"The field SecretIDNumUses is deprecated and will be removed in a future release; refer to secret_id_num_uses instead"
],
"auth": null
}
As you can see the creation and expiration times are only 32 days apart. Is there another parameter that is controlling the TTL that is set on the mount or elsewhere?
doing a read of sys/auth reveals
Key Value
--- -----
approle/ map[config:map[default_lease_ttl:0 max_lease_ttl:0] description: local:false type:approle]
Not sure where else to look or if the secret_id_ttl is just not working as desired.
I'll take a look at the code in a bit to see if I can figure it out.
Ken
Ken McVicker
Sep 28, 2017, 3:34:39 PM9/28/17
to Vault
One other data point. I just set the secret_id_ttl to 0 and then created a new secret_id and got an expiration time of "expiration_time": "0001-01-01T00:00:00Z" or infinite.
Looks like it work for secret_id_ttl of infinite time. It's just a problem if you set it to less.
-Ken
bkas...@hashicorp.com
Oct 2, 2017, 2:29:51 PM10/2/17
to Vault
Hi Ken,
The TTL of the secret ID is capped to the Max TTL configured for the backend or in Vault's config file. You can either raise the TTL configured in Vault's configuration File (https://www.vaultproject.io/docs/configuration/index.html#max_lease_ttl), or for more granular control you could tune the approle mount to have a higher allowed Max TTL (https://www.vaultproject.io/api/system/mounts.html#tune-mount-configuration)
Hope this helps,
Brian
Reply all
Reply to author
Forward
0 new messages