AppRole with non expiry ttl for secret_id

crypope · December 28, 2022, 11:33pm

Hi,

I just started to work with HashiCorp few months ago so excuse my knowledge/question.

As I was looking with Google on old forums discussion and read some of the hashicorp docs I could not figure out if I can or I can not have a secret_id that is never expiring.

While I tried to generate a non-expiring secret_id like this:

vault write -f auth/approle/role/app_name_role/secret-id secret_id_ttl=0 token_num_uses=0 secret_id_num_uses=0 token_ttl=0 token_max_ttl=0

The result cam with:
Key Value
secret_id abcedefg-eecf-4cb4-0586-574d6a7ff001
secret_id_accessor yxzefgth-0597-b72e-fe7e-a3cc28a41758
secret_id_ttl 2764800 —> 32 days…

How I am suppose to code or generate those AppRole secret_id key so that I can have an application retrieve its secrets after let’s say 300 days when I restart it? I need a way so I do not change the secret id every 32 days. The issue is we can’t really restart the app easy once is in production as its mission critical and its restart to renew the secret_id will cause customers impact…

maxb · December 29, 2022, 7:57am

I ran the exact command you posted:

$ vault write -f auth/approle/role/app_name_role/secret-id secret_id_ttl=0 token_num_uses=0 secret_id_num_uses=0 token_ttl=0 token_max_ttl=0
WARNING! The following warnings were returned from Vault:

  * Endpoint ignored these unrecognized parameters: [secret_id_num_uses
  secret_id_ttl token_max_ttl token_num_uses token_ttl]

Key                   Value
---                   -----
secret_id             e4407e41-b8a8-bfa0-85a6-8db2453688ed
secret_id_accessor    d3f0b086-67cf-cd37-359a-5958a6d508e1
secret_id_num_uses    0
secret_id_ttl         30s

And Vault helpfully pointed out that that endpoint doesn’t accept any of those parameters.

Do check the docs to avoid making up parameters to endpoints that don’t actually exist.

If you want to set secret_id_ttl to zero (unlimited), you can, but you have to do it via one of the configuration endpoints that supports that.

crypope · December 29, 2022, 6:54pm

Hi maxb,

Thanks for looking into this.

Please see this AppRole - Auth Methods - HTTP API | Vault | HashiCorp Developer for accepted parameters/options.
the error that you saw was that you had no definition for a role named “app_name_role” . You need to define that first before trying my command.

Anyway I think I found my issue. Will test and post back once I tested it.

maxb · December 29, 2022, 7:09pm

That’s what I told you to do!

No it is not. I created that first, to properly demonstrate for you the warning I posted.