Vault: Feature Request: Logout function for CLI

Created on 2 Nov 2016  路  5Comments  路  Source: hashicorp/vault

On the CLI, upon successfully running vault auth, the token is stored at ~/.vault-token. I assume this is to allow multiple terminal sessions to access vault after one login. It would make more sense to dump the token to the VAULT_TOKEN environment variable noted in the docs, but I can see some not liking this idea.

Instead, this request is for a vault logout function to be added to the cli. Very simply, this would effectively run rm ~/.vault-token.

I have mentioned these two related items here in order for others to understand the context. Either solution would function, and I would like to start a conversation regarding the two.

picture jcrowthe
👍5

Most helpful comment

What I've been doing is: _$ vault token revoke -self_
seems to work well for intended purpose.

picture TerraTech on 21 Jun 2018
👍6 🎉1

All 5 comments

You're correct about your assumption. It's also a pluggable mechanism; an external binary can be used so that in theory it can e.g. integrate with your system keychain via envchain or some such thing.

We're not going to add a vault logout command at this time however. As you noted it would be functionally equivalent to a simple rm and we already have enough commands that people very often get confuzzled.

jefferai picture jefferai on 2 Nov 2016
👍2

Note that there are now token-only and no-store flags on the CLI, either of which will cause the token to not be stored.

jefferai picture jefferai on 4 Dec 2017
👍1

What I've been doing is: _$ vault token revoke -self_
seems to work well for intended purpose.

TerraTech picture TerraTech on 21 Jun 2018
👍6 🎉1

Advice: Do not use _vault token revoke -self_ when you are using the root token or if you have a token that has a lot of children. Because this revokes all tokens generated by this token and the tokens they created. So use instead
_vault token revoke -mode=orphan -self_

a-nldisr picture a-nldisr on 26 Mar 2019

Please note that @a-nldisr 's comment above is not considered canonical advice. Revoking in orphan mode has real security implications that should be understood before using it.

jefferai picture jefferai on 26 Mar 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andris9 picture andris9  路  3Comments
narayan8291 picture narayan8291  路  3Comments
mfischer-zd picture mfischer-zd  路  3Comments
maxsivanov picture maxsivanov  路  3Comments
trodemaster picture trodemaster  路  3Comments