We have an OSS vault running where auth tokens are manually put into a server that runs a cron job every night. We would like to know how often we need to change this token. The sys/auth/token/tune looks like this:
How can I see the TTL on my tokens? max_lease_ttl seems to have been put in to make them last forever but we frequently and unexpectedly see tokens that are expired.
(We are working on automatically renewing and configuring tokens in the future)
What @jeffsanicola said, that’ll show you the TTL of a token.
I just want to point out that max_lease_ttl is most likely meaningless. Check the max-ttl defined in the vault configuration file, even though you can ask for any TTL … Token’s maximum lifetime is “max-ttl” no matter how many refresh and updates you have in your auth method.
For example, in approle you can say 9999 days for the auth’s max ttl, but when your system’s max ttl is (by default) 768h, after 768h the token will be revoked. You also can’t get away with renewals either, max-ttl always wins.
One last note – specifying “service” token is meaningless, all tokens are service tokens unless they’re specifically requested to be batch.