Vault
Token management
The Tokens tutorial demonstrated the lifecycle of Vault tokens. Remember that Vault persists the service tokens in the storage backend until they expire and Vault revokes them. Depending on the auth method, the generated service token varies in its size due to the amount of metadata attached to it. To avoid unused tokens from overtaking the storage memory, set an explicit token time-to-live (TTL) so that Vault will automatically revoke expired tokens.
Lab setup
To perform the tasks described in this tutorial, you need to have a Vault environment.
Refer to the Getting Started tutorial to install Vault.
Start a Vault
dev
server withroot
as the root token.$ vault server -dev -dev-root-token-id root
Insecure operation
Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.
Export an environment variable for the
vault
CLI to address the Vault server.$ export VAULT_ADDR=http://127.0.0.1:8200
Login with the root token.
$ vault login root Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token root token_accessor n9CYvD0GK3iV6nwAOZQAy9Md token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
The Vault server is ready.
Configure the token TTL
When you create tokens or leases with no specific TTL values, the default value applies to them.
Create a token with default policy.
$ vault token create -policy=default Key Value --- ----- token hvs.CAESIPTd9dl2cePaceCI8SLKjD-mEq8pVC4vy730D7m9jImjGh4KHGh2cy45Y2pyUU5rSTB4Y3hpeno0aVJEZld3U1E token_accessor nE3v6ijndqozPlL5WPvY1LIq token_duration 768h token_renewable true token_policies ["default"] identity_policies [] policies ["default"]
Notice that the token TTL (
token_duration
) is 768 hours although you did not provide the TTL value.Display the
token
auth method settings.$ vault auth list -detailed Path Plugin Accessor Default TTL Max TTL Token Type ... ---- ------ -------- ----------- ------- ---------- token/ token auth_token_03fa2d1f system system default-service ...
The
token
auth method is the core method of authentication with Vault; therefore, Vault enables it by default while other auth methods must be enabled explicitly. Notice that thetoken_type
isdefault-service
.Note
The Default TTL and Max TTL of the
token
auth method is set tosystem
.Read the default TTL settings for token auth method.
$ vault read sys/auth/token/tune Key Value --- ----- default_lease_ttl 768h description token based credentials force_no_cache false max_lease_ttl 768h token_type default-service
The default token TTL (
default_lease_ttl
) and the max TTL (max_lease_ttl
) is set to 32 days (768 hours). This implies that the tokens are valid for 32 days from its creation whether an app is using the token or not.Tip
The Tokens tutorial demonstrated various parameters to control the token lifecycle; however, users often neglect to specify the token TTL.
You can override the default TTL on the
token
auth method itself so that Vault will revoke expired token in a reasonable amount of time.Set the default TTL to 8 hours and max TTL to 30 days (720 hours).
$ vault write sys/auth/token/tune default_lease_ttl=8h max_lease_ttl=720h Success! Data written to: sys/auth/token/tune
Read the configuration to verify.
$ vault read sys/auth/token/tune Key Value --- ----- default_lease_ttl 8h description token based credentials force_no_cache false max_lease_ttl 720h token_type default-service
Verification
Create a new token without specifying its TTL.
$ vault token create -policy=default Key Value --- ----- token hvs.CAESIEGiDhSts4rDwJQw4Twre1IJACXB5h288PWJVgZFMSbcGh4KHGh2cy5NZ09icUxqdmZnYU1wd1VJZGE5M0pDV0k token_accessor RtW8rWhB7trpfyfm9IC8Fow1 token_duration 8h token_renewable true token_policies ["default"] identity_policies [] policies ["default"]
Tip
Tune any of the auth method configurations using the /sys/auth/<METHOD>/tune
endpoint to override the system defaults.
Get the token count
If the token TTL is set reasonably, Vault should not be storing many unused tokens.
Refer to the Vault Usage Metrics tutorial which demonstrates the Usage Metrics dashboard.
Get the service token counts.
$ vault read sys/internal/counters/tokens
Example output:
Key Value
--- -----
counters map[service_tokens:map[total:3]]
The example output shows that there are 5 service tokens. In reality, you may have hundreds of app instances connecting to Vault. Then it becomes more important to know how many tokens exist in the Vault's storage backend.
Note
Remember that Vault does not persist batch tokens. Therefore,
the sys/internal/counters/tokens
endpoint returns the number of service tokens
in Vault.