The default authentication method in Vault is Tokens. Anytime you authenticate, regardless of the method, Vault is creating a token, storing it somewhere, then using it for future interactions. This article will discuss the process for managing your vault tokens using the vault CLI
Authentication using a token
When you first install Vault, you will be given a default root token. You can use this token to authenticate using the vault auth command:
vault auth <token>
Example: vault auth 9uhwwe8fhq2eo8hf8efh9fquhe
Now that you have authenticated, you have access to the rest of the vault commands:
Listing Tokens
You cannot list tokens in Vault. This is for security reasons as if you can see someone’s token, you can use their token for authentication. That said, when you authenticate in Vault, your token is stored as a user/system variable: VAULT_TOKEN. Depending on your OS, you can show your current token by running::
echo VAULT_TOKEN
or
echo $VAULT_TOKEN
While you cannot list the tokens, you can get a list of token accessors with the following command:
vault list auth/token/accessors
The above command will list the tokens accessors as well as their display names. This is useful if you are trying to revoke tokens.
Creating Tokens
You can create additional tokens for authentication using the vault token-create command. Depending on the arguments you specify, you will get different results. The default TTL of a token is 24 hours. Meaning the token will automatically be destroyed after 24 hours.
Create token
To create a token with all of the default settings, and with the same privileges as the currently logged in user, run:
vault token-create
**Warning, if you authenticated with a root token, this will create another root token. Root tokens don’t expire the same as regular tokens
Specify Token Policy
If you want the token to have a specific policy applied, you can specify a policy with the -policy argument:
vault token-create -policy=mypolicy
Set TTL
You can specify a non-default TTL with the -ttl argument. The following command will create a vault token with a TTL of 1 hour:
vault token-create -policy=mypolicy -ttl="1h"
The above command will set the TTL to 1 hour. That means the token will expire after 1 hour. However, the token can be renewed, which will reset the TTL
Renew Token
When your token is coming up for renewal, you don’t have to get a new one. You can simply renew your token lease, as long as it has not yet reached the max TTL. Renewing a token is done using the token-renew command:
vault token-renew <token>
Set Max TTL
Set the maximum TTL using the -explicit-max-ttl command:
vault token-create -policy=mypolicy -explicit-max-ttl="1h"
When you create a token, you might have a TTL of 60 seconds, but the user or system can renew that lease up until it reaches the max TTL. Setting a max TTL ensures that tokens are short-lived, and harder to compromise.
Set Display Name
Set the display name of a token using the -display-name argument:
vault token-create -policy=mypolicy -ttl="1h" -display-name=“My Token"
Create a token and set the current session to use that token
The following commands have been tested on OSX. It will create a vault token with a TTL of 1 hour. Then set your current session to use that token. Before this command will work, you have to first
run brew install jq
Create token and set current session to use that token on OSX
VAULT_TOKEN=$(vault token-create -ttl="1h" -format=json | jq -r '.auth' | jq -r '.client_token')
Destroying Tokens
When you are finished with tokens, it is good to destroy them so they cannot be used by unauthorized users and systems. To destroy a token, run:
vault token-revoke <TokenID>
Additional resources
The official Hashicorp resources on tokens can be found here:
https://www.vaultproject.io/docs/concepts/tokens.html
I also found this blog about vault useful:
