Managing Vault Tokens – Hashicorp Vault

padlock

The default authentication method in Vault is Tokens.  Anytime you authenticate, regardless of the method, vault is creating a token, storing it somewhere, then using it for future interactions.  This article will discuss the process for managing your vault tokens using the vault CLI

Authentication using a token

When you first install Vault, you will be given a default root token.  You can use this token to authenticate using the vault auth command:

Example: vault auth 9uhwwe8fhq2eo8hf8efh9fquhe

Now that you have authenticated, you have access to the rest of the vault commands:

Listing Tokens

You cannot list tokens in Vault.  This is for security reasons as if you can see someone’s token, you can use their token for authentication.  That said, when you authenticate in Vault, your token is stored as a user/system variable:  VAULT_TOKEN.  Depending on your OS, you can show your current token by running::

echo VAULT_TOKEN

or

echo $VAULT_TOKEN

While you cannot list the tokens, you can get a list of token accessors wit the following command:

The above command will list the tokens accessors as well as their display names.  This is useful if you are trying to revoke tokens.

Creating Tokens

You can create additional tokens for authentication using the vault token-create command.  Depending on the arguments you specify, you will get different results.  The default TTL of a token is 24 hours.  Meaning the token will automatically be destroyed after 24 hours.

Create token

To create a token with all of the default settings, and with the same privelages as the currently logged in user, run:

**Warning, if you authenticated with a root token, this will create another root token.  Root tokens don’t expire the same as regular tokens

Specify Token Policy

If you want the token to have a specific policy applied, you can specify a policy with the -policy argument:

Set TTL

You can specify a non-defult TTL with the -ttl argument.  The following command will create a vault token with a TTL of 1 hour:

The above command will set the TTL to 1 hour. That means the token will expire after 1 hour.  However, the token can be renewed, which will reset the TTL

Renew Token

When your token is coming up for renewal, you don’t have to get a new one. You can simply renew your token lease, as long as it has not yet reached the max TTL.  Renewing a token is done using the token-renew command:

 

Set Max TTL

Set the maximum TTL using the -explicit-max-ttl command:

When you create a token, you might have a TTL of 60 seconds, but the user or system can renew that lease up until it reaches the max TTL.  Setting a max TTL ensures that tokens are short-lived, and harder to compromise.

Set Display Name

Set the display name of a token using the -display-name argument:

Create token and set current session to use that token

The following commands has been tested on OSX. It will create a vault token with a TTL of 1 hour. Then set your current session to use that token.  Before this command will work, you have to first

Create token an set current session to use that token on OSX

Destroying Tokens

When you are finished with tokens, it is good to destroy them so they cannot be used by unauthorized users and systems.  To destroy a token, run:

Additional resources

The official Hashicorp resources on tokens can be found here:

https://www.vaultproject.io/docs/concepts/tokens.html

I also found this blog about vault useful:

https://www.amon.cx/blog/managing-all-secrets-with-vault/

 

%d bloggers like this: