2018-01-17 01:16:20 +00:00
---
2020-01-18 00:18:09 +00:00
layout: guides
page_title: Tokens and Leases - Guides
sidebar_title: Tokens and Leases
2018-01-17 01:16:20 +00:00
description: |-
Tokens are the core method for authentication within Vault. For every
authentication token and dynamic secret, Vault creates a lease
2018-03-19 21:56:45 +00:00
containing information such as duration, renewability, and more.
Understanding the lifecycle of leases means understanding the lifecycle of
tokens in some sense.
2018-01-17 01:16:20 +00:00
---
# Tokens and Leases
Almost everything in Vault has an associated lease, and when the lease is
expired, the secret is revoked. Tokens are not an exception. Every non-root
token has a time-to-live (TTL) associated with it. When a token expires and it's
2018-03-19 21:56:45 +00:00
not renewed, the token is automatically revoked.
2018-01-17 01:16:20 +00:00
## Lease Hierarchy
When a new token or secret is created, it is a child of the creator. If the
parent is revoked or expires, so do all its children regardless of their own
leases. A child may be a token, secret, or authentication created by a parent. A
parent is almost always a **token**.
2018-03-19 21:56:45 +00:00
Suppose a hierarchy exists with respective TTL as follows:
2018-01-17 01:16:20 +00:00
2018-03-19 21:56:45 +00:00
```
2018-01-17 01:16:20 +00:00
b519c6aa... (3h)
6a2cf3e7... (4h)
1d3fd4b2... (1h)
794b6f2f... (2h)
2018-03-19 21:56:45 +00:00
```
2018-01-17 01:16:20 +00:00
In this scenario, the lease ID of `1d3fd4b2..` will expire in an hour. If a
token or secret with a lease is not renewed before the lease expires, it will be
revoked by the Vault server. When it's revoked, it takes its child
(`794b6f2f...`) although the child has one more hour before it expires. Then,
two hours later, `b519c6aa...` will be revoked and takes its child
(`6a2cf3e7...`) with it.
## Reference Material
2020-01-22 20:05:41 +00:00
- The [Validation](/guides/secret-mgmt/dynamic-secrets#validation) section of the
[Secret as a Service](/guides/secret-mgmt/dynamic-secrets) guide demonstrates lease
2020-01-18 00:18:09 +00:00
renewal and revocation
2020-01-22 20:05:41 +00:00
- [Tokens documentation](/docs/concepts/tokens)
- [Token Auth Method (API)](/api/auth/token)
- [Lease, Renew, and Revoke](/docs/concepts/lease)
2018-01-17 01:16:20 +00:00
2018-07-31 16:19:23 +00:00
~> **NOTE:** An [interactive
tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-tokens) is
also available if you do not have a Vault environment to perform the steps
described in this guide.
2018-01-17 01:16:20 +00:00
## Estimated Time to Complete
10 minutes
2018-01-25 00:01:44 +00:00
## Personas
The end-to-end scenario described in this guide involves one persona:
- **`admin`** with privileged permissions to create and manage tokens
See the [policy requirements](#policy-requirements) section for details.
2018-01-17 01:16:20 +00:00
## Challenge
2018-03-19 21:56:45 +00:00
Consider the following scenarios often encountered outside of Vault:
2018-01-17 01:16:20 +00:00
2018-03-19 21:56:45 +00:00
- There is no **break glass** procedure available for revoking
2020-01-18 00:18:09 +00:00
access to credentials in the event of a breach
2018-01-24 00:22:17 +00:00
- Credentials for external systems (e.g. AWS, MySQL) are shared
2018-03-19 21:56:45 +00:00
- Need temporal access to a database in a specific scenario
2018-01-17 01:16:20 +00:00
## Solution
Vault has built-in support for secret revocation. Vault can revoke not only
2018-03-19 21:56:45 +00:00
a single secret, but also a tree of secrets. For example, Vault can revoke all
2018-01-24 00:22:17 +00:00
secrets read by a specific **user** or all secrets of a specific **type**.
Revocation assists in key rolling as well as locking down systems in the case of
2018-01-25 00:01:44 +00:00
an intrusion.
If a user or machine needs a temporal access to Vault, you can set a short TTL
2018-03-19 21:56:45 +00:00
or a number of uses to a token so the token is automatically revoked at the
2018-01-25 00:01:44 +00:00
end of its life.
This also allows for organizations to plan and train for various
2018-01-17 01:16:20 +00:00
"break glass" procedures.
## Prerequisites
To perform the tasks described in this guide, you need to have a Vault
2020-01-18 00:18:09 +00:00
environment. Refer to the [Getting
2020-01-22 20:05:41 +00:00
Started](/intro/getting-started/install) guide to install Vault. Make sure
2018-01-24 00:22:17 +00:00
that your Vault server has been [initialized and
2020-01-22 20:05:41 +00:00
unsealed](/intro/getting-started/deploy).
2018-01-17 01:16:20 +00:00
2018-01-25 00:01:44 +00:00
### Policy requirements
2018-03-19 21:56:45 +00:00
-> **NOTE:** For the purpose of this guide, you can use the **`root`** token to work
with Vault. However, it is recommended that root tokens are used for just
2018-01-25 00:01:44 +00:00
enough initial setup or in emergencies. As a best practice, use tokens with
2018-03-19 21:56:45 +00:00
an appropriate set of policies based on your role in the organization.
2018-01-25 00:01:44 +00:00
To perform all tasks demonstrated in this guide, your policy must include the
following permissions:
```shell
2018-03-19 21:56:45 +00:00
# List available auth method - Step 1
2018-01-25 02:10:56 +00:00
path "sys/auth" {
capabilities = [ "read" ]
}
2018-01-25 00:01:44 +00:00
# Read default token configuration
path "sys/auth/token/tune" {
2018-01-25 02:10:56 +00:00
capabilities = [ "read", "sudo" ]
2018-01-25 00:01:44 +00:00
}
# Create and manage tokens (renew, lookup, revoke, etc.)
path "auth/token/*" {
capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
2018-01-25 02:10:56 +00:00
2018-03-19 21:56:45 +00:00
# For Advanced Features - list available secret engines
2018-01-25 02:10:56 +00:00
path "sys/mounts" {
capabilities = [ "read" ]
}
2018-03-19 21:56:45 +00:00
# For Advanced Features - tune the database secret engine TTL
2018-01-25 02:10:56 +00:00
path "sys/mounts/database/tune" {
capabilities = [ "update" ]
}
2018-01-25 00:01:44 +00:00
```
If you are not familiar with policies, complete the
2020-01-22 20:05:41 +00:00
[policies](/guides/identity/policies) guide.
2018-01-25 00:01:44 +00:00
2018-01-17 01:16:20 +00:00
## Steps
2018-02-01 17:50:59 +00:00
Tokens are the core method for authentication within Vault. Tokens can be used
2018-03-19 21:56:45 +00:00
directly or dynamically generated by the auth methods. Regardless, the clients
2018-01-17 01:16:20 +00:00
need valid tokens to interact with Vault.
This guide demonstrates the lifecycle of tokens.
2018-03-19 21:56:45 +00:00
1. [Read token auth method configuration](#step1)
1. [Create short-lived tokens](#step2)
1. [Create tokens with use limit](#step3)
1. [Periodic tokens](#step4)
1. [Orphan tokens](#step5)
1. [Revoke tokens](#step6)
2018-01-17 01:16:20 +00:00
2018-03-19 21:56:45 +00:00
### <a name="step1"></a>Step 1: Read token auth method configuration
2018-01-17 01:16:20 +00:00
When you create leases with no specific TTL values, the default value applies
to the lease.
```shell
2018-01-30 18:46:27 +00:00
$ vault auth list
2018-01-17 01:16:20 +00:00
Path Type Accessor Default TTL Max TTL Replication Behavior Description
approle/ approle auth_approle_53f0fb08 system system replicated
github/ github auth_github_b770f4c8 system system replicated
token/ token auth_token_2ad69043 system system replicated token based credentials
userpass/ userpass auth_userpass_d326d2f9 system system replicated
```
The system max TTL is **32 days**, but you can override it to be longer or
shorter in Vault's configuration file.
Another option is to tune the mount configuration to override the system
defaults by calling the **`/sys/mounts/<PATH>/tune`** endpoint (e.g.
2018-03-19 21:56:45 +00:00
`/sys/mounts/database/tune`). For the auth method system configuration, call
2018-01-24 00:22:17 +00:00
**`/sys/auth/<METHOD>/tune`** endpoint.
NOTE: Refer to the [Advanced Features](#advanced-features) section for tuning
2018-03-19 21:56:45 +00:00
the system configuration.
2018-01-17 01:16:20 +00:00
#### CLI command
2018-03-19 21:56:45 +00:00
Read the default TTL settings for **token** auth method:
2018-01-17 01:16:20 +00:00
```shell
2018-01-24 00:22:17 +00:00
$ vault read sys/auth/token/tune
2018-01-17 01:16:20 +00:00
Key Value
--- -----
default_lease_ttl 2764800
force_no_cache false
max_lease_ttl 2764800
```
#### API call using cURL
2018-01-25 00:01:44 +00:00
Use `/sys/auth/token/tune` endpoint to read the default TTL settings for **token** auth
2018-03-19 21:56:45 +00:00
method:
2018-01-18 01:39:21 +00:00
2018-01-24 00:22:17 +00:00
```shell
$ curl --header "X-Vault-Token: <TOKEN>" \
--request GET \
<VAULT_ADDRESS>/v1/sys/auth/token/tune
2018-01-18 01:39:21 +00:00
```
2018-01-24 00:22:17 +00:00
Where `<TOKEN>` is your valid token with read permission on the
`sys/auth/token/tune` path.
2018-01-17 01:16:20 +00:00
2018-01-24 00:22:17 +00:00
**Example:**
```shell
$ curl --header "X-Vault-Token: ..." --request GET \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/auth/token/tune | jq
2018-01-17 01:16:20 +00:00
{
"default_lease_ttl": 2764800,
"max_lease_ttl": 2764800,
"force_no_cache": false,
"request_id": "630fd49d-f704-540f-0641-41516087654f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"default_lease_ttl": 2764800,
"force_no_cache": false,
"max_lease_ttl": 2764800
},
"wrap_info": null,
"warnings": null,
"auth": null
}
```
-> **NOTE:** The returned TTL value is in seconds (2764800 seconds = 32 days).
2018-02-01 17:50:59 +00:00
### <a name="step2"></a>Step 2: Create short-lived tokens
2018-01-17 01:16:20 +00:00
2018-01-25 06:15:40 +00:00
Create a new token with TTL of 30 seconds which means that the token gets
automatically revoked after 30 seconds.
2018-01-17 01:16:20 +00:00
#### CLI command
2018-01-25 06:15:40 +00:00
To view optional parameters to create tokens:
```shell
2018-01-30 18:46:27 +00:00
$ vault token create -help
2018-01-25 06:15:40 +00:00
```
2020-01-18 00:18:09 +00:00
There are a number of parameters you can set. To specify the token TTL, pass
2018-01-25 06:15:40 +00:00
the value using `-ttl` parameter.
**Example:**
2018-01-17 01:16:20 +00:00
```shell
2018-01-24 00:22:17 +00:00
# Create a token with TTL of 30 seconds
2018-01-30 18:46:27 +00:00
$ vault token create -ttl=30s
2018-01-17 01:16:20 +00:00
Key Value
--- -----
2018-05-29 19:03:33 +00:00
token 3b2b1285-844b-4b40-6afa-623f39c1b738
token_accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11
2018-01-17 01:16:20 +00:00
token_duration 30s
token_renewable true
2018-01-25 02:10:56 +00:00
token_policies [admin]
2018-01-17 01:16:20 +00:00
2018-01-24 00:22:17 +00:00
# Test the new token
2018-01-30 18:46:27 +00:00
$ VAULT_TOKEN=3b2b1285-844b-4b40-6afa-623f39c1b738 vault token lookup
2018-01-17 01:16:20 +00:00
Key Value
--- -----
accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11
creation_time 1515702047
creation_ttl 30
display_name token
expire_time 2018-01-11T20:21:17.900969673Z
explicit_max_ttl 0
id 3b2b1285-844b-4b40-6afa-623f39c1b738
issue_time 2018-01-11T20:20:47.90096937Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
2018-01-25 02:10:56 +00:00
policies [admin]
2018-01-17 01:16:20 +00:00
renewable true
ttl 8
```
2018-01-30 18:46:27 +00:00
**NOTE:** The `vault token lookup` command returns the token's properties.
2018-01-17 01:16:20 +00:00
In this example, it shows that this token has 8 more seconds before it expires.
2018-03-19 21:56:45 +00:00
When you execute a Vault command using the new token immediately following its
2018-01-17 01:16:20 +00:00
creation, it should work. Wait for 30 seconds and try again. It returns
**`Code: 403. Errors:`** which indicates a forbidden API call due to expired
token usage.
2018-03-19 21:56:45 +00:00
You can **renew** the token's TTL as long as the token has not expired.
2018-01-17 01:16:20 +00:00
```shell
2018-01-30 18:46:27 +00:00
$ vault token renew <TOKEN>
2018-01-17 01:16:20 +00:00
```
If you want to renew and extend the token's TTL, pass the desired extension:
```shell
2018-01-30 18:46:27 +00:00
$ vault token renew <TOKEN> <EXTENSION>
2018-01-17 01:16:20 +00:00
```
2018-05-29 19:03:33 +00:00
Or with revamped cli:
```shell
$ vault token renew -increment=<EXTENSION> <TOKEN>
```
2018-01-17 01:16:20 +00:00
The extension value can be an integer number of seconds (e.g. 3600) or a string
duration (e.g. "1h").
#### API call using cURL
2018-03-19 21:56:45 +00:00
Use the `auth/token/create` endpoint to create a new token. There are a number of
2020-01-22 20:05:41 +00:00
optional [parameters](/api/auth/token#create-token) that you can pass
2018-01-25 06:15:40 +00:00
in the request payload.
**Example:**
The following example sets the `ttl` parameter.
2018-01-24 00:22:17 +00:00
```shell
# Create a new token with TTl of 30 seconds
$ curl --header "X-Vault-Token: ..." --request POST \
--data '{"ttl": "30s"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create | jq
2018-01-17 01:16:20 +00:00
{
...
"auth": {
"client_token": "f7d88963-1aba-64d7-11a0-9282ae7681d0",
"accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6",
"policies": [
2018-01-25 02:10:56 +00:00
"admin"
2018-01-17 01:16:20 +00:00
],
"metadata": null,
"lease_duration": 30,
"renewable": true
}
}
2018-01-24 00:22:17 +00:00
# Pass the returned token (`client_token`) in the `X-Vault-Token` header to test
$ curl --header "X-Vault-Token: f7d88963-1aba-64d7-11a0-9282ae7681d0" \
--request GET \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/lookup-self | jq
2018-01-17 01:16:20 +00:00
{
...
"data": {
2018-05-29 19:03:33 +00:00
"accessor": "c0a40d94-b814-e46f-7e56-ee18fccdf1b6",
2018-01-17 01:16:20 +00:00
"creation_time": 1515702669,
"creation_ttl": 30,
...
"renewable": true,
"ttl": 14
},
...
}
```
When you invoke the API using the new token immediately following its
creation, it should work. Wait for 30 seconds and try again. It returns
**`Code: 403. Errors:`** which indicates a forbidden API call due to expired
token usage.
#### Renew the token:
2018-01-24 00:22:17 +00:00
```shell
$ curl --header "X-Vault-Token: ..." --request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq
2018-01-17 01:16:20 +00:00
2018-01-24 00:22:17 +00:00
# Renew token with 1 hour extension
$ curl --header "X-Vault-Token: ..." --request POST \
--data '{"increment": "3600"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/renew/<TOKEN> | jq
2018-01-17 01:16:20 +00:00
```
-> **NOTE:** Tokens can be renewed as long as its life hasn't reached its max
TTL. For example, if the token's TTL is 1 hour and max TTL is 24 hours, you can
2018-03-19 21:56:45 +00:00
renew the token up to 24 hours from its creation time. Once 24 hours has passed from
the token's creation time, the token is revoked by Vault. For long running
2018-01-17 01:16:20 +00:00
processes, this may introduce complexity. In such case, use [periodic tokens](#step4).
### <a name="step3"></a>Step 3: Create tokens with use limit
In addition to TTL and max TTL, tokens may be limited to a number of uses. Use
limit tokens expire at the end of their last use regardless of their remaining
TTLs. On the same note, use limit tokens expire at the end of their TTLs
regardless of their remaining uses.
2018-03-19 21:56:45 +00:00
To create tokens with a use limit, set the number of uses when you
2018-01-17 01:16:20 +00:00
create them.
#### CLI command
2018-03-19 21:56:45 +00:00
Create a token with the `-use-limit` property argument.
2018-01-17 01:16:20 +00:00
**Example:**
```shell
2018-01-30 18:46:27 +00:00
$ vault token create -policy=default -use-limit=2
2018-01-17 01:16:20 +00:00
Key Value
--- -----
token bd39178e-176e-cc91-3930-94f7b0194de5
2018-05-29 19:03:33 +00:00
token_accessor a230f5ab-b59f-db0b-855d-36ea4319b58e
2018-01-17 01:16:20 +00:00
token_duration 768h0m0s
token_renewable true
token_policies [default]
```
2018-03-19 21:56:45 +00:00
This creates a token with the _default_ policy and a use limit of 2.
2018-01-17 01:16:20 +00:00
#### Verification
```shell
2018-01-30 18:46:27 +00:00
$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault token lookup
2018-01-17 01:16:20 +00:00
Key Value
--- -----
2018-05-29 19:03:33 +00:00
accessor a230f5ab-b59f-db0b-855d-36ea4319b58e
2018-01-17 01:16:20 +00:00
creation_time 1515710251
creation_ttl 2764800
display_name token
expire_time 2018-02-12T22:37:31.715486503Z
explicit_max_ttl 0
id bd39178e-176e-cc91-3930-94f7b0194de5
issue_time 2018-01-11T22:37:31.715486221Z
meta <nil>
num_uses 1
orphan false
path auth/token/create
policies [default]
renewable true
ttl 2764769
$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault write cubbyhole/token \
value=bd39178e-176e-cc91-3930-94f7b0194de5
Success! Data written to: cubbyhole/token
$ VAULT_TOKEN=bd39178e-176e-cc91-3930-94f7b0194de5 vault read cubbyhole/token
Error reading cubbyhole/token: Error making API request.
URL: GET http://127.0.0.1:8200/v1/cubbyhole/token
Code: 403. Errors:
* permission denied
```
2018-03-19 21:56:45 +00:00
The first command read the token's properties and then wrote a value to the cubbyhole
2020-01-18 00:18:09 +00:00
secret engine. This exhausted the use limit of 2 for this token. Therefore,
2018-03-19 21:56:45 +00:00
the attempt to read the secret from the cubbyhole failed.
2018-01-17 01:16:20 +00:00
#### API call using cURL
Set the `num_uses` property in the request payload.
2018-09-20 20:58:29 +00:00
```plaintext
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token: ..." --request POST \
--data '{ "policies": ["default"], "num_uses":2 }' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create | jq
2018-01-17 01:16:20 +00:00
{
"request_id": "0e98ff80-2825-7f50-6522-b6f95d596ef4",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668",
"accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968",
"policies": [
"default"
],
"metadata": null,
"lease_duration": 2764800,
"renewable": true
}
}
```
2018-03-19 21:56:45 +00:00
This creates a token with the _default_ policy and a use limit of 2.
2018-01-17 01:16:20 +00:00
#### Verification
2018-01-24 00:22:17 +00:00
```text
$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
--request GET \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/lookup-self | jq
2018-01-17 01:16:20 +00:00
{
"request_id": "77be1321-c0ca-e099-6f92-4ad87133b044",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"accessor": "4dd5ef0d-8515-c3ae-ea49-016c3e9eb968",
"creation_time": 1515711922,
"creation_ttl": 2764800,
"display_name": "token",
"expire_time": "2018-02-12T23:05:22.746137253Z",
"explicit_max_ttl": 0,
"id": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668",
"issue_time": "2018-01-11T23:05:22.746136892Z",
"meta": null,
"num_uses": 1,
...
}
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
--request POST \
--data '{ "value": "d9c2f2e5-6b8a-4021-476c-ebd3f166d668" }' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/cubbyhole/token
2018-01-17 01:16:20 +00:00
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token: d9c2f2e5-6b8a-4021-476c-ebd3f166d668" \
--request GET \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/cubbyhole/token | jq
2018-01-17 01:16:20 +00:00
{
"errors": [
"permission denied"
]
}
```
2018-03-19 21:56:45 +00:00
The first command read the token's properties and then wrote a value to the cubbyhole
2020-01-18 00:18:09 +00:00
secret engine. This exhausted the use limit of 2 for this token. Therefore,
2018-03-19 21:56:45 +00:00
the attempt to read the secret from the cubbyhole failed.
2018-01-17 01:16:20 +00:00
### <a name="step4"></a>Step 4: Periodic tokens
2018-01-25 00:01:44 +00:00
**Root** or **sudo** users have the ability to generate **periodic tokens**.
2018-03-19 21:56:45 +00:00
Periodic tokens have a TTL, but no max TTL; therefore, they may live for an
2018-01-25 00:01:44 +00:00
infinite duration of time so long as they are renewed within their TTL. This
is useful for long-running services that cannot handle regenerating a token.
2018-01-17 01:16:20 +00:00
#### CLI command
2020-01-18 00:18:09 +00:00
First, create a token role with a specific `period`. When you set `period`,
2018-01-25 00:01:44 +00:00
tokens created for this role will have no max TTL. Instead, the `period` becomes
the token renewal period. This value can be an integer value in seconds (e.g.
2020-01-18 00:18:09 +00:00
2764800. or a string duration (e.g. 72h).
2018-01-17 01:16:20 +00:00
```shell
2018-01-24 00:22:17 +00:00
$ vault write auth/token/roles/<ROLE_NAME> allowed_policies="<POLICY_NAMES>" period=<RENEWAL_PERIOD>
2018-01-17 01:16:20 +00:00
```
**Example:**
```shell
2018-01-25 02:10:56 +00:00
$ vault write auth/token/roles/zabbix allowed_policies="default" period="24h"
2018-01-17 01:16:20 +00:00
```
Now, generate a token:
```shell
2018-01-30 18:46:27 +00:00
$ vault token create -role=zabbix
2018-01-17 01:16:20 +00:00
Key Value
--- -----
token de91ebba-20ad-18ba-fa43-08e1932de301
2018-05-29 19:03:33 +00:00
token_accessor 1f8abad0-c1db-9399-15ee-dd4b6230386c
2018-01-17 01:16:20 +00:00
token_duration 24h0m0s
token_renewable true
2018-01-25 02:10:56 +00:00
token_policies [default]
2018-01-17 01:16:20 +00:00
```
#### API call using cURL
2020-01-18 00:18:09 +00:00
First, create a token role by setting `period`. When you set `period`, tokens
2018-01-17 01:16:20 +00:00
created for this role will have no max TTL. Instead, the `period` becomes the
token renewal period. This value can be an integer value in seconds (e.g.
2020-01-18 00:18:09 +00:00
2764800. or a string duration (e.g. 72h).
2018-01-17 01:16:20 +00:00
**Example:**
2018-01-25 00:01:44 +00:00
```shell
2018-09-20 20:58:29 +00:00
# API request payload
$ tee payload.json <<EOF
2018-01-17 01:16:20 +00:00
{
"allowed_policies": [
2018-01-25 02:10:56 +00:00
"default"
2018-01-17 01:16:20 +00:00
],
"period": "24h"
}
2018-09-20 20:58:29 +00:00
EOF
# Create a token role called 'zabbix'
$ curl --header "X-Vault-Token: ..." --request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/token/roles/zabbix
2018-01-17 01:16:20 +00:00
```
2018-03-19 21:56:45 +00:00
This creates a token role named `zabbix` with `default` policies attached.
Its renewal period is set to 24 hours.
2018-01-17 01:16:20 +00:00
Now, generate a token:
2018-01-25 00:01:44 +00:00
```plaintext
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token: ..." --request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create/zabbix | jq
2018-01-17 01:16:20 +00:00
{
...
"auth": {
"client_token": "a59c0d41-8df7-ba8e-477e-9bfb394f28a0",
"accessor": "c2023006-ce8d-532b-136f-330223ccf464",
"policies": [
2018-01-25 02:10:56 +00:00
"default"
2018-01-17 01:16:20 +00:00
],
"metadata": null,
"lease_duration": 86400,
"renewable": true,
"entity_id": ""
}
```
2018-03-19 21:56:45 +00:00
Generated tokens are renewable indefinitely as long as they are renewed
before the lease duration expires. The token renew command was covered in
2018-01-17 01:16:20 +00:00
[Step 2](#step2).
2018-01-25 02:10:56 +00:00
#### Additional Note: Periodic Tokens with AppRole
2018-01-17 01:16:20 +00:00
It probably makes better sense to create **AppRole** periodic tokens since we
2018-03-19 21:56:45 +00:00
are talking about long-running apps that need to be able to renew their token
2018-01-25 02:10:56 +00:00
indefinitely.
-> For more details about AppRole, read the [AppRole Pull
2020-01-22 20:05:41 +00:00
Authentication](/guides/identity/authentication) guide.
2018-01-25 02:10:56 +00:00
To create AppRole periodic tokens, create your AppRole role with
2018-01-17 01:16:20 +00:00
`period` specified.
**Example:**
```plaintext
2018-01-25 00:01:44 +00:00
$ vault write auth/approle/role/jenkins policies="jenkins" period="72h"
2018-01-17 01:16:20 +00:00
```
Or
2018-09-20 20:58:29 +00:00
```shell
# Sample request payload
$ tee payload.json <<EOF
2018-01-17 01:16:20 +00:00
{
"allowed_policies": [
2018-01-25 00:01:44 +00:00
"jenkins"
2018-01-17 01:16:20 +00:00
],
2020-01-18 00:18:09 +00:00
"period": "72h"
2018-01-17 01:16:20 +00:00
}
2018-09-20 20:58:29 +00:00
EOF
# Create a role named 'jenkins'
$ curl --header "X-Vault-Token:..." --request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/approle/role/jenkins
2018-01-17 01:16:20 +00:00
```
### <a name="step5"></a>Step 5: Orphan tokens
2018-09-20 20:58:29 +00:00
Orphan tokens are **not** children of their parent; therefore, orphan tokens do
not expire when their parent does.
2018-01-25 00:01:44 +00:00
2018-01-17 01:16:20 +00:00
**NOTE:** Orphan tokens still expire when their own max TTL is reached.
#### CLI command
2018-09-20 20:58:29 +00:00
The following CLI command requires **root** token or **sudo** capability on the
`auth/token/create` path.
2018-01-17 01:16:20 +00:00
```shell
2018-01-30 18:46:27 +00:00
$ vault token create -orphan
2018-01-17 01:16:20 +00:00
```
#### API call using cURL
2018-09-20 20:58:29 +00:00
To create an orphan token, use the **`auth/token/create-orphan`** endpoint:
2018-01-24 00:22:17 +00:00
```shell
$ curl --header "X-Vault-Token:..." --request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create-orphan | jq
2018-01-17 01:16:20 +00:00
```
2018-09-20 20:58:29 +00:00
Also, you can create an orphan token using the **`auth/token/create`** endpoint with
`no-parent` parameter set to true.
```shell
$ curl --header "X-Vault-Token:..." --request POST \
--data '{ "no_parent": true }' \
http://127.0.0.1:8200/v1/auth/token/create | jq
```
!> **NOTE:** The **`auth/token/create`** endpoint requires **root** token or
**sudo** capability to create an orphan token while
**`auth/token/create-orphan`** endpoint does not.
2018-01-17 01:16:20 +00:00
2018-01-25 23:07:35 +00:00
### <a name="step6"></a>Step 6: Revoke tokens and leases
2018-01-17 01:16:20 +00:00
Revoking a token and all its children.
#### CLI command
To revoke a specific token:
```shell
2018-01-30 18:46:27 +00:00
$ vault token revoke <TOKEN>
2018-01-17 01:16:20 +00:00
```
2018-01-25 23:07:35 +00:00
To revoke all leases under a specific path:
2018-01-17 01:16:20 +00:00
```shell
2018-01-30 18:46:27 +00:00
$ vault lease revoke -prefix <PATH>
2018-01-17 01:16:20 +00:00
```
**Example:**
```shell
# Revoke a specific token
2018-01-30 18:46:27 +00:00
$ vault token revoke eeaf890e-4b0f-a687-4190-c75b1d6d70bc
2018-01-17 01:16:20 +00:00
2018-03-19 21:56:45 +00:00
# Revoke all leases for database auth method
2018-01-30 18:46:27 +00:00
$ vault lease revoke -prefix database/creds
2018-01-17 01:16:20 +00:00
# Revoke all tokens
2018-01-30 18:46:27 +00:00
$ vault lease revoke -prefix auth/token/create
2018-01-17 01:16:20 +00:00
2018-05-29 19:03:33 +00:00
# Revoke all tokens by accessor
$ vault token revoke -accessor 2b2b5b83-7f22-fecd-03f0-4e25bf64da11
```
2018-01-17 01:16:20 +00:00
#### API call using cURL
2020-01-18 00:18:09 +00:00
To revoke a specific token, call `/auth/token/revoke` endpoint. If you want to revoke tokens/secrets under a specific path, call `/sys/leases/revoke-prefix/<PATH>`.
2018-01-17 01:16:20 +00:00
**Example:**
```shell
# Revoke a specific token
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token:..." --request POST \
--data '{ "token": "eeaf890e-4b0f-a687-4190-c75b1d6d70bc" }' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/revoke
2018-01-17 01:16:20 +00:00
2018-03-19 21:56:45 +00:00
# Revoke all secrets for database auth method
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token:..." --request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/database/creds
2018-01-17 01:16:20 +00:00
# Revoke all tokens
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token:..." --request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/leases/revoke-prefix/auth/token/create
2018-05-29 19:03:33 +00:00
# Revoke all tokens by accessor
2018-09-20 20:58:29 +00:00
$ curl --header "X-Vault-Token: ..." --request POST \
--data '{ "accessor": "2b2b5b83-7f22-fecd-03f0-4e25bf64da11" }' \
http://127.0.0.1:8200/v1/auth/token/revoke-accessor
2018-01-17 01:16:20 +00:00
```
2018-01-18 01:39:21 +00:00
## Advanced Features
2018-01-17 01:16:20 +00:00
2018-03-19 21:56:45 +00:00
It is important to understand lease configuration to avoid having your
secret leases expire earlier than you expected.
2018-01-17 01:16:20 +00:00
#### 1. Determine the TTLs specific to the mount
```shell
2018-01-30 18:46:27 +00:00
$ vault secrets list
2018-01-17 01:16:20 +00:00
Path Type Accessor Plugin Default TTL Max TTL Force No Cache Replication Behavior Seal Wrap Description
cubbyhole/ cubbyhole cubbyhole_36021b8e n/a n/a n/a false local false per-token private secret storage
database/ database database_e21b9b4f n/a system system false replicated false
identity/ identity identity_035fe03b n/a n/a n/a false replicated false identity store
pki/ pki pki_9ae09eb3 n/a system system false replicated false
secret/ kv kv_2e59ba96 n/a system system false replicated false key/value secret storage
ssh/ ssh ssh_ea06b9bb n/a system system false replicated false
sys/ system system_f5b5ecac n/a n/a n/a false replicated false system endpoints used for control, policy and debugging
transit/ transit transit_07fc2df9 n/a system system false replicated false
```
2018-01-25 00:01:44 +00:00
Notice the **Default TTL** and **Max TTL** columns.
2018-01-17 01:16:20 +00:00
#### 2. Tune the system TTLs
Override the global defaults by specifying `default_lease_ttl` and
`max_lease_ttl` to meet your requirements.
**Example:**
2018-03-19 21:56:45 +00:00
The following example assumes that you have a database secret engine configured.
2018-01-25 00:01:44 +00:00
2018-01-17 01:16:20 +00:00
```shell
$ vault write sys/mounts/database/tune default_lease_ttl="8640"
```
Or
2018-01-25 00:01:44 +00:00
```shell
2018-01-24 00:22:17 +00:00
$ curl --header "X-Vault-Token:..." --request POST \
2018-01-25 00:01:44 +00:00
--data '{ "max_lease_ttl": 129600}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/mounts/database/tune
2018-01-17 01:16:20 +00:00
```
#### 3. Check the role specific TTLs
2018-03-19 21:56:45 +00:00
Depending on the auth method, there may be more specific TTLs configured (e.g.
2018-01-17 01:16:20 +00:00
roles, groups, users) as you have done so in [Step 4](#step4).
```shell
$ vault read auth/token/roles/zabbix
Key Value
--- -----
2018-01-25 02:10:56 +00:00
allowed_policies [default]
2018-01-17 01:16:20 +00:00
disallowed_policies []
explicit_max_ttl 0
name zabbix
orphan false
path_suffix
period 86400
renewable true
```
## Next steps
2018-01-25 00:01:44 +00:00
2018-03-19 21:56:45 +00:00
Now that you have learned the lifecycle of tokens and leases, read the [AppRole Pull
2020-01-22 20:05:41 +00:00
Authentication](/guides/identity/authentication) guide to learn how to generate
2018-01-25 00:01:44 +00:00
tokens for apps or machines.