Any Vault CLI query to check if I am logged in?

queglay · March 6, 2021, 10:56am

In my scripts, I need to login, at which point the user will get prompted for a token with vault login. I’d like to be able to query if I’m logged in though so that vault login will not have to execute again and slow the user down with a prompt.

I am aware of being able to provide VAULT_TOKEN as an env var, but that is not ideal for security, so I don’t want users doing that. Instead I’d like to skip redundant execution of vault login altogether.

brucellino1 · March 7, 2021, 10:01am

If the user is logged in, they will have a token - you could do a vault token lookup. If the user does not have a token, vault will exit 2

You could catch that and do a login for them, using whatever auth they are allowed to use.

The token lookup also returns a bunch of metadata about their token, e.g. ttl - you could use that do decide whether to warn the user, renew or escalate the token…

queglay · March 8, 2021, 12:05am

Thats excellent, thanks, it will help reduce repeated login queries for sure!

mikegreen · March 8, 2021, 8:16pm

Additionally, token capabilities could be useful here too, if you need to check specific path access.

queglay · March 17, 2021, 2:59am

I tried to explore the token capabilites.
but for example this didn’t work, I just got deny from:

vault token capabilities dev/data/files
deny
vault token capabilities dev/files
deny
vault token capabilities dev
deny

When the policy for the token was:

path "dev/data/network/*"
{
  capabilities = ["list", "read"]
}

path "dev/data/files/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "dev/data/network/something"
{
  capabilities = ["update", "list"]
}

path "dev/data/network/somethingelse"
{
  capabilities = ["update", "list"]
}

path "sys/capabilities" {
  capabilities = ["list", "read"]
}

path "sys/capabilities-self" {
  capabilities = ["list", "read"]
}

I thought based on that documentation the policy should work though.

mikegreen · March 17, 2021, 5:51pm

can you read those paths from the same cli session?

what does $ vault token capabilities /sys/capabilities-self say?
I think for it to work on its own token, that needs to return update

con-f-use · September 22, 2023, 11:30am

Careful, vault will also exit 2 on other problems like e.g.:

the vault server domain does not resolve
…or is not reachable
the tls connection cannot be established, e.g. because of certificate issues

and permission denied is also not too helpful as it can mean a number of things:

token expired
token never existed
token policies are insufficient for the action you’re trying to perform
the API endpoint does not exist (typos, etc.)

I know the reasons behind most of this, but for debugging and user-friendliness it’s sometimes frustrating

Topic		Replies	Views
How can I detect if vault is authenticated? Vault	2	950	August 15, 2022
Vault CLI security concerns Vault	5	421	January 30, 2023
Building a vault-integrated CLI tool, recommendations for auth handling? Vault	2	1003	March 18, 2020
Login API gives error {"errors":["missing client token"]} Vault	5	12897	February 22, 2021
Scripting vault and still bleeding secrets in the log Vault	1	290	April 13, 2021

Any Vault CLI query to check if I am logged in?

Related topics