I just started to work with HashiCorp few months ago so excuse my knowledge/question.
As I was looking with Google on old forums discussion and read some of the hashicorp docs I could not figure out if I can or I can not have a secret_id that is never expiring.
While I tried to generate a non-expiring secret_id like this:
vault write -f auth/approle/role/app_name_role/secret-id secret_id_ttl=0 token_num_uses=0 secret_id_num_uses=0 token_ttl=0 token_max_ttl=0
The result cam with:
secret_id_ttl 2764800 —> 32 days…
How I am suppose to code or generate those AppRole secret_id key so that I can have an application retrieve its secrets after let’s say 300 days when I restart it? I need a way so I do not change the secret id every 32 days. The issue is we can’t really restart the app easy once is in production as its mission critical and its restart to renew the secret_id will cause customers impact…
I ran the exact command you posted:
$ vault write -f auth/approle/role/app_name_role/secret-id secret_id_ttl=0 token_num_uses=0 secret_id_num_uses=0 token_ttl=0 token_max_ttl=0
WARNING! The following warnings were returned from Vault:
* Endpoint ignored these unrecognized parameters: [secret_id_num_uses
secret_id_ttl token_max_ttl token_num_uses token_ttl]
And Vault helpfully pointed out that that endpoint doesn’t accept any of those parameters.
Do check the docs to avoid making up parameters to endpoints that don’t actually exist.
If you want to set
secret_id_ttl to zero (unlimited), you can, but you have to do it via one of the configuration endpoints that supports that.
Thanks for looking into this.
Please see this
AppRole - Auth Methods - HTTP API | Vault | HashiCorp Developer for accepted parameters/options.
the error that you saw was that you had no definition for a role named “app_name_role” . You need to define that first before trying my command.
Anyway I think I found my issue. Will test and post back once I tested it.
That’s what I told
you to do!
No it is not. I created that first, to properly demonstrate for you the warning I posted.