Non-expiring non-root tokens

[Tom Noonan II]

Is it possible to create non-root tokens that do not expire? I have a
use case for dev tokens which may be used infrequently, and I'd like to
not have to worry about renewing or regenerating them.

--
Tom Noonan II
DevOps Engineer
TNo...@shoretel.com
(512) 551-7585
www.shoretel.com

[Joel Thompson]

Hi Tom,

Short answer, no, it's not actually possible. You can achieve something like it by setting a very long TTL on the order of years so that they in effect never expire.

However, there's a reason that it's not possible, because it's not a great idea. It'd be much better to make it easy for your devs to generate a new token whenever they need one (e.g., use the userpass or ldap backend and have a helper that pulls credentials out of a keychain) and incorporate that into their standard workflow.

There's been some discussion of this in the past, e.g., https://groups.google.com/forum/#!msg/vault-tool/y0S3yWVUqCI/32DEnYz_AQAJ and https://groups.google.com/forum/#!msg/vault-tool/kbVF5V9WEJI/VdnWRxsKBgAJ

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/20170818112139.48c6e180%40TJNII-Desktop.corp.it.
For more options, visit https://groups.google.com/d/optout.