Create a token that doesn't expire or ttl to max duration

I know it’s not a best practice to create a token which doesn’t expire, but I am trying to create a token for one of our situation and it doesn’t look like I can create a token that doesn’t expire. I also tried to create approle with secret id ttl set to 0 and when I login the token it gives has duration of only 12 hours even though I changed approle auth method max ttl to 768h( actually I want much larger value but for testing used 768h). Btw, I have my max ttl set to 12h in vault configuration file but since I override the value in approle auth method, I gues it doesn’t matter. Any expert pointers here please? Thanks in advance.

Indeed, the Vault documentation explicitly explains that only root tokens are allowed to have no expiry.

SecretID TTL is one thing and Token TTL is another. SecretIDs are allowed to have an unlimited TTL, and that’s what zero means in this context.

In this context, the max_ttl is the TTL to which you may extend the token’s validity to, by using the CLI vault token renew.

To affect the initial TTL of the token at login, you need to be updating the:

  • token_ttl of the AppRole role
  • or if the previous item is zero, it is taken from the default lease TTL set on the AppRole auth method
  • or if the previous item is zero, it is taken from the default lease TTL in the Vault server configuration file
  • or if the previous item is unset, it is taken from a compiled in default of 32 days.