Any Vault CLI query to check if I am logged in?

In my scripts, I need to login, at which point the user will get prompted for a token with vault login. I’d like to be able to query if I’m logged in though so that vault login will not have to execute again and slow the user down with a prompt.

I am aware of being able to provide VAULT_TOKEN as an env var, but that is not ideal for security, so I don’t want users doing that. Instead I’d like to skip redundant execution of vault login altogether.

If the user is logged in, they will have a token - you could do a vault token lookup. If the user does not have a token, vault will exit 2

You could catch that and do a login for them, using whatever auth they are allowed to use.

The token lookup also returns a bunch of metadata about their token, e.g. ttl - you could use that do decide whether to warn the user, renew or escalate the token…

1 Like

Thats excellent, thanks, it will help reduce repeated login queries for sure!

Additionally, token capabilities could be useful here too, if you need to check specific path access.

1 Like

I tried to explore the token capabilites.
but for example this didn’t work, I just got deny from:

vault token capabilities dev/data/files
deny
vault token capabilities dev/files
deny
vault token capabilities dev
deny

When the policy for the token was:

path "dev/data/network/*"
{
  capabilities = ["list", "read"]
}

path "dev/data/files/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "dev/data/network/something"
{
  capabilities = ["update", "list"]
}

path "dev/data/network/somethingelse"
{
  capabilities = ["update", "list"]
}

path "sys/capabilities" {
  capabilities = ["list", "read"]
}

path "sys/capabilities-self" {
  capabilities = ["list", "read"]
}

I thought based on that documentation the policy should work though.

can you read those paths from the same cli session?

what does $ vault token capabilities /sys/capabilities-self say?
I think for it to work on its own token, that needs to return update

Careful, vault will also exit 2 on other problems like e.g.:

  • the vault server domain does not resolve
  • …or is not reachable
  • the tls connection cannot be established, e.g. because of certificate issues

and permission denied is also not too helpful as it can mean a number of things:

  • token expired
  • token never existed
  • token policies are insufficient for the action you’re trying to perform
  • the API endpoint does not exist (typos, etc.)

I know the reasons behind most of this, but for debugging and user-friendliness it’s sometimes frustrating