Custom X-Vault wrap TTL with API does not work, but with cli it does

I am using the Hashivault agent in a Windows environment. And I have set it up as a windows service. Other API calls and CLI commands are working.

When i create a wrap request with some data in the request body i get the default TTL of 300s back. The “x-vault-wrap-ttl” value is somehow overwritten or ignored.

Invoke-WebRequest	-URI "$VaultAddress/v1/sys/wrapping/wrap" `
														-Headers @{
															"X-Vault-Token" = $Token;
															"X-Vault-Wrap-TTL" = "400s"
														} `
														-Method POST `
														-Body $Body `
														-ContentType $ContentType

I have also tried this with curl, same exact issue.

curl --header "X-Vault-Token:..." --header "X-Vault-Wrap-TTL=400s" --request POST --data "foo=bar" http://127.0.0.1:8200/v1/sys/wrapping/wrap

But if I use the vault agent CLI, it works and I get my preferred TTL. Therefore it can’t be an authorisation issue.

PS C:\HashiVault> .\vault write -wrap-ttl=80m sys/wrapping/wrap foo=bar

Key                              Value
---                              -----
wrapping_token:                  hvs....
wrapping_accessor:               ....
wrapping_token_ttl:              1h20m
wrapping_token_creation_time:    2024-08-...
wrapping_token_creation_path:    sys/wrapping/wrap

I thank you for every help.

Odd, I’ve never used it with the API.
Maybe you are using Hashi Vault Servier in an older version or it could be a bug.

I have figured out the issue. If I send the request directly to the vault server without using the vault agent as a forwarding proxy, it works. Somehow the vault agent overrides the setting.

But I don’t know where I can change this override.

What does your Vault agent config look like (de-identified please)? I have not used Vault agent, but looking over this doc:

Could wrap_ttl be causing what you are seeing?

I created the configuration as per the documentation and looked at the udemy course to see if I encountered any issues.

pid_file = ".../agent.pid"

log_file = ".../agent-warning.log"
log_level = "trace"

vault {
	address = "${env:VAULT_ADDR}"
}

auto_auth {
	method "approle" {
        mount_path = "auth/temp_approle"
		min_backoff = "5s"
		max_backoff = "60s"
		exit_on_err = true
		config = {
			role_id_file_path = "...role.txt"
			secret_id_file_path = "...secret.txt"
			remove_secret_id_file_after_reading = false
		}
	}
	sink "file" {
		wrap_ttl = "30m"
        config = {
        	path = "...sink.json"
		}
	}
}

cache {
	use_auto_auth_token = true
	cache_duration = "60m"
	max_entry_count = 0
}

listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = true
	retry {
		num_retries = 5
		retry_wait_min = "1s"
		retry_wait_max = "5s"
	}
}


The first time the approle works and my wrap_ttl is 30min. And for my approach, I need to unwrap and rewrap the token in the sink file. If I give the command directly to the server it works, but via the agent the agent overrides the value or ignores it - resulting in the default value for wrap_ttl of 5 minutes being used.

Looks like this may be a known issue:

May be worth commenting to raise that its still on-going.