Auth token TTL, how to see


We have an OSS vault running where auth tokens are manually put into a server that runs a cron job every night. We would like to know how often we need to change this token. The sys/auth/token/tune looks like this:

Key Value

default_lease_ttl 768h
description token based credentials
force_no_cache false
max_lease_ttl 999999h
token_type default-service

How can I see the TTL on my tokens? max_lease_ttl seems to have been put in to make them last forever but we frequently and unexpectedly see tokens that are expired.

(We are working on automatically renewing and configuring tokens in the future)

Best regards,
Markus Haugsdal

The command vault token lookup or the equivalent API endpoint should get you what you’re after.

When run a ttl value will be displayed, this is the remaining TTL on your token.

What @jeffsanicola said, that’ll show you the TTL of a token.

I just want to point out that max_lease_ttl is most likely meaningless. Check the max-ttl defined in the vault configuration file, even though you can ask for any TTL … Token’s maximum lifetime is “max-ttl” no matter how many refresh and updates you have in your auth method.

For example, in approle you can say 9999 days for the auth’s max ttl, but when your system’s max ttl is (by default) 768h, after 768h the token will be revoked. You also can’t get away with renewals either, max-ttl always wins.

One last note – specifying “service” token is meaningless, all tokens are service tokens unless they’re specifically requested to be batch.

1 Like