Will my token expire??

[Maxwell Flanders]

Using the root token, I created a new token. This token calls self-renew every 10 minutes in order to reset its TTL. Because the parent token (root) will never expire, will this token also, never expire?? Or will it still hit some sort of max TTL??

I have been reading and re-reading the documentation here at https://www.vaultproject.io/docs/concepts/tokens.html, but I am still not clear. They imply that since it is not periodic (it was not created using the "periodic" option) and it is not root, that it should die at some point but I'm not sure what the mechanism will be.

[Joel Thompson]

Hi Maxwell,

It depends on a few things.

First, unless you created it as an orphaned token, then if the parent token ever gets explicitly revoked (and best practices are to revoke root tokens as soon as you're done using them!), your new token will be revoked.

Second, assuming either it's an orphaned token or the parent is never revoked, then it depends on how the token was created. Assuming you used the token-create command to create the new token (https://www.vaultproject.io/api/auth/token/index.html#create-token), then if you have specified it as a root token and no TTL, then it will never expire. If you specify it as a non-root token, then it will expire, unless you have specified it as a periodic token, in which case, as long as you renew it within the period specified, it won't expire.

I realize that's a bit confusing. I'd suggest calling lookup-self (https://www.vaultproject.io/api/auth/token/index.html#lookup-a-token-self-) on the new token and see what it returns.

First, look at the orphan field; that'll tell you if it's an orphan token or not. Second, look at the ttl field, and that'll tell you what the TTL on the token is (i.e., when it'll expire). If the ttl is 0, then it means it won't expire (assuming the parent isn't revoked!). Lastly, if there's a period field, then it's a periodic token, and the period field tells you what the period is.

Some examples:

$ vault token-lookup
Key                     Value
---                     -----
accessor                ba60737c-8e8f-daef-1878-a59fc1e94694
creation_time           1509499092
creation_ttl            0
display_name            root
entity_id        
expire_time             <nil>
explicit_max_ttl        0
id                      c87a03c5-c6dd-8e2d-3c4c-5bcbce13a0f9
meta                    <nil>
num_uses                0
orphan                  true
path                    auth/token/root
policies                [root]
ttl                     0

The orphan true line indicates it's an orphan, and ttl of 0 indicates it has an infinite lifetime. If we create a new root token without making it an orphan (via vault token-create):

$ vault token-lookup
Key                     Value
---                     -----
accessor                46e3a755-1bb1-389c-1d76-b128a8d723ae
creation_time           1509500515
creation_ttl            0
display_name            token
entity_id        
expire_time             <nil>
explicit_max_ttl        0
id                      23805973-76e1-7d82-caf2-410641c8fe1d
issue_time              2017-10-31T21:41:55.509222077-04:00
meta                    <nil>
num_uses                0
orphan                  false
path                    auth/token/create
policies                [root]
renewable               false
ttl                     0

Here, you can see the ttl is still 0, bu tit's not an orphan, so if the parent is revoked, this will be revoked as well.

Now, let's create a non-root token (with vault token-create -policy=default), and do a vault token-lookup on it:

$ vault token-lookup
Key                     Value
---                     -----
accessor                478df787-c56e-5799-9689-02cd97f97038
creation_time           1509500584
creation_ttl            2764800
display_name            token
entity_id        
expire_time             2017-12-02T20:43:04.428475108-05:00
explicit_max_ttl        0
id                      f99bd8d5-2ecf-f4c1-5d24-616b94f68ea0
issue_time              2017-10-31T21:43:04.428474871-04:00
meta                    <nil>
num_uses                0
orphan                  false
path                    auth/token/create
policies                [default]
renewable               true
ttl                     2764786

Now, it's still not an orphan, but you can see a non-zero ttl field. We can also create a root token with a ttl (using vault token-create -ttl=1h):

$ vault token-lookup
Key                     Value
---                     -----
accessor                2e561377-9c03-9bc1-64a8-c48357144d64
creation_time           1509500701
creation_ttl            3600
display_name            token
entity_id        
expire_time             2017-10-31T22:45:01.868283272-04:00
explicit_max_ttl        0
id                      60f9a15a-c9a8-64e4-496c-7ffd3457ed54
issue_time              2017-10-31T21:45:01.868282819-04:00
meta                    <nil>
num_uses                0
orphan                  false
path                    auth/token/create
policies                [root]
renewable               true
ttl                     3581

You can see that root tokens, by default, have an infinite TTL, but can be specified to have a limited TTL, and that non-root tokens will always have a limited TTL.

Lastly, if you want to create a periodic token (using vault token-create -period=1h -policy=default):

$ vault token-lookup
Key                     Value
---                     -----
accessor                40de239a-ab26-f95d-4d11-617e520e3190
creation_time           1509500808
creation_ttl            3600
display_name            token
entity_id        
expire_time             2017-10-31T22:46:48.270750657-04:00
explicit_max_ttl        0
id                      6ae20113-0975-4faf-073a-cd57018d8d52
issue_time              2017-10-31T21:46:48.270750405-04:00
meta                    <nil>
num_uses                0
orphan                  false
path                    auth/token/create
period                  3600
policies                [default]
renewable               true
ttl                     3580

Here, you can see a non-zero ttl, but also a period field, so that this can be renewed indefinitely.

Hope this helps!

--Joel

On Tue, Oct 31, 2017 at 4:02 PM Maxwell Flanders <maxjfl...@gmail.com> wrote:

Using the root token, I created a new token. This token calls self-renew every 10 minutes in order to reset its TTL. Because the parent token (root) will never expire, will this token also, never expire?? Or will it still hit some sort of max TTL??

I have been reading and re-reading the documentation here at https://www.vaultproject.io/docs/concepts/tokens.html, but I am still not clear. They imply that since it is not periodic (it was not created using the "periodic" option) and it is not root, that it should die at some point but I'm not sure what the mechanism will be.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c40f96bb-d070-43f3-ab59-df8d8cac38b0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.