Check in a service account

Return a service account previously checked out from a previously configured LDAP library.

Assumptions

You have set up an ldap plugin.
You have created an LDAP account library.

Returing a service account to the library tells Vault to rotate the associated password.

Use vault write with the -f flag and {mount_path}/library/{set_name}/check-out path to request a service account:

$ vault write -f <mount_path>/library/<set_name>/check-out

For example:

$ vault write -f devcreds/library/accounting-team/check-out

Key                     Value
---                     -----
lease_id                devcreds/library/accounting-team/check-out/EpuS8cX7uEsDzOwW9kkKOyGW
lease_duration          10h
lease_renewable         true
password                ?@09AZKh03hBORZPJcTDgLfntlHqxLy29tcQjPVThzuwWAx/Twx4a2ZcRQRqrZ1w
service_account_name    fizz@example.com

Tip

If the default checkout time is longer than you need, omit the -f flag and provide an explict ttl value so Vault can reclaim the account sooner if it becomes abandoned for some reason.

Make a POST call to {mount_path}/library/{set_name}/check-in with the service account name to return the service account:

$ curl                                                     \
  --request POST                                           \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"              \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}"      \
  --data '{"service_account_names": [<account_list>]}'     \
  ${VAULT_ADDR}/v1/<mount_path>/library/<set_name>/check-in

For example:

$ curl                                                     \
  --request POST                                           \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"              \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}"      \
  --data '{"service_account_names": ["fizz@example.com"]}' \
  ${VAULT_ADDR}/v1/devcreds/library/accounting-team/check-in

Tip

If the default checkout time is longer than you need, provide an explict ttl value so Vault can reclaim the account sooner if it becomes abandoned for some reason.