From 1997fbb73f85ac835c38c433a02ebf2212a2f1a8 Mon Sep 17 00:00:00 2001 From: Nick Cabatoff Date: Wed, 31 Aug 2022 10:37:25 -0400 Subject: [PATCH] Point people in the right direction for tokens used in transit autounseal. (#16951) --- website/content/docs/concepts/tokens.mdx | 5 +++-- website/content/docs/configuration/seal/transit.mdx | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/website/content/docs/concepts/tokens.mdx b/website/content/docs/concepts/tokens.mdx index ca5edc57c..b796f321b 100644 --- a/website/content/docs/concepts/tokens.mdx +++ b/website/content/docs/concepts/tokens.mdx @@ -29,8 +29,9 @@ holder is allowed to do within Vault. Other mapped information includes metadata that can be viewed and is added to the audit log, such as creation time, last renewal time, and more. - -Read on for a deeper dive into token concepts. +Read on for a deeper dive into token concepts. See the +[tokens tutorial](https://learn.hashicorp.com/tutorials/vault/tokens) +for details on how these concepts play out in practice. ## Token Types diff --git a/website/content/docs/configuration/seal/transit.mdx b/website/content/docs/configuration/seal/transit.mdx index bcc359542..1c7e12aae 100644 --- a/website/content/docs/configuration/seal/transit.mdx +++ b/website/content/docs/configuration/seal/transit.mdx @@ -113,6 +113,12 @@ path "/decrypt/" { } ``` +Other considerations for the token used: +* it should probably be an [orphan token](/docs/concepts/tokens#token-hierarchies-and-orphan-tokens), +otherwise when the parent token expires or gets revoked the seal will break. +* consider making it a [periodic token](/docs/concepts/tokens#periodic-tokens) +and not setting an explicit max TTL, otherwise at some point it will cease to be renewable. + ## Key Rotation This seal supports key rotation using the Transit Secret Engine's key rotation endpoints. See