Vault: Token Duration - Configuration

Tokens are issued by the token backend at auth/token/, not the generic backend at secret/. Try tuning auth/token and it should work!

@jefferai: It works.
A quick question, so I have tuned the auth/token backend with a default time period of 1 min and a max time period of 10 mins. When I create a token, the duration is set to the default period of 1 min. I was wondering if I can choose the duration period of that token (btw default and max).

Default is the default TTL when no ttl parameter is supplied with the token request. Max is the maximum allowed TTL. When talking about other backends, not all backends actually honor the default TTL set (yet), but the maximum is _always_ enforced.

I created a token using,

vault token-create -policy=x
How do I set the maximum allowed TTL or this token ?

The output of vault token-create -h should have the info you need.

That helped. When I tried to set the lease period to be 100 days by using the -lease option it didn't work and the duration was set to 2592000 which is 30 days. Can't tokens be valid for more than 30 days? Is there any other way to achieve this ?

You can set the maximum either globally in the configuration file or for that mount via the mount-tune command. 30 days is the default.

I do have the mount-tune in place,
vault mount-tune -default-lease-ttl=24h -max-lease-ttl=8760h auth/token

When I do vault token-create -policy=secret, I get the token_duration to be 86400 which is equal to 24h (minimum lease period). But, when I do vault token-create -policy=secret -lease="4800h" I get the duration to be 2592000 which is 30 days (default value).

I don't find any docs for setting it up globally.

Hi,

The parameter is -ttl, not -lease. What is the output of "vault mounts"?

Vault mounts gives me,
cubbyhole/ cubbyhole n/a n/a per-token private secret storage
generic/ generic 60 120
secret/ generic 60 120 generic secret storage
sys/ system n/a n/a system endpoints used for control, policy and debugging

I dont see the auth/token

token-create does not have a -ttl parameter. It has only -lease

The global defaults are documented with the rest of the configuration file at https://vaultproject.io/docs/config/index.html

ttl instead of lease is documented in the API at https://vaultproject.io/docs/auth/token.html ...the fact that the CLI does not use it is a bug which I will ensure is fixed for the next release.

Sorry, I forgot that auth mounts do not show up in vault mounts.

You can use curl -X GET -H X-Vault-Token:<your token> http://127.0.0.1:8200/v1/sys/mounts/auth/token/tune to get the value. For me, after running your command above, I got back {"default_lease_ttl":86400,"max_lease_ttl":31536000} -- the max value corresponding to a year.

I can replicate the problem of the lease not being honored with token-create...I'll look into it. It's possible that in 0.3 this capability was not yet enabled for the token credential backend.

@jefferai Thanks a lot. I appreciate your help

@narayan8291 OK, so the token store acts like a special authentication backend. At this point I honestly don't remember whether we didn't enable mount-tune for it on purpose at the time, or whether it was a bug (as in, an oversight)...but at this point the mount tuning system is robust and we should treat the token store the same way. I've fixed it; it's fixed in master now, and will be in the next release.

when I do curl -X GET -H X-Vault-Token: http://127.0.0.1:8200/v1/sys/mounts/auth/token/tune it says permission denies and this is the acl.hcl which I have:

path "secret/dev_token" {
policy = "read"
}
path "secret/admin_token" {
policy = "deny"
}
path "auth/token/lookup-self" {
policy = "read"
}

I just want to make sure the token's ttl is set for the maximum period of the auth/token backend which is 360 days. I have done the necessary token-tune but I am not sure if the token which I have created has the ttl of 360 days. As of now I can only see the default ttl which is 24h.

What token are you using there? Tuning requires a root token. Also unless you are running master from a few minutes ago, setting the tune parameters on auth/token have no effect.

@jefferai I have used the root token to tune and the server logs show " core: tuned 'auth/token/' ". I have tuned it using,

vault mount-tune -default-lease-ttl=7200h -max-lease-ttl=7400h auth/token. A default period of 300 days.

But when I create a token, vault token-create -policy=secret I get the output,
Key Value
token 8413e733-7693-588c-de5d-8ddcec52876e
token_duration 86400
token_renewable true
token_policies [secret]

The duration is only 30 days. I am trying to create a token for a duration of 300days but I am not able to. Is there something that I am doing wrong.

Are you running off of an updated master branch?

I did a git pull and ran the same commands. Looks like the issue still exits.

When you did the git pull did you then build/install it? Are you
running the actual updated binary? I tested this earlier on and it was
working fine.

@narayan8291 Please pull again, I think ^ should help.

I just tested your set of commands with that change and they work fine. Apologies for the difficulty before...this was a subtle issue.

I did a git pull and also build using make dev. The issue still exists.

I was wondering if there is a way I could verify that I am working on the updated binary ?

I think the build has an error. When I did sudo make dev,
1 errors occurred:
--> darwin/amd64 error: exit status 1
Stderr: main.go:6:2: cannot find package "github.com/hashicorp/vault/cli" in any of:
/usr/local/go/src/github.com/hashicorp/vault/cli (from $GOROOT)
($GOPATH not set)

But this was not the problem in make dev. I will fix this first

I am using a MAC and I have also set the $GOPATH. Not sure what the problem is. Any suggestions ?

You need to set GOPATH in your environment. Once you set it, Go operations become relative to that directory. See https://github.com/golang/go/wiki/GOPATH for more information.