I’m facing a problem why my dynamic secrets while using databases specifically MySQL when a user logs into the UI and requests a new credential it’s valid for about a week 6-7 days before Vault decides to revoke the lease. I have all my TTLs pretty high so I really don’t understand why is revoking my leases too soon?
The only thing I can think of is the auth method for my users which is OIDC where the token could be expiring soon and that triggers a “cascade” revocation of leases associated with the auth somehow? My auth TTL’s are more than 7 days so that makes no sense, at this point i’m not sure what’s causing this any help will be great!
The problematic role that suppose to be providing credentials with a TTL of 90 days is the following the UI still shows 1 hour but that’s apparently a bug? If I use the CLI it shows the values correctly.
The default lease TTL is 7776000 is seconds I believe and if I translate to hours is 2160 and both matches 90 days. If its 9 days then that might be the issue however I don’t see anything that matches 9 days ?
Yes, maxb is correct I have a global and a max TTL per mount in this case the dynamic secrets for my database mount is overriden.
Your “database” connection has it’s own TTL, although all child tokens are related in this case the TTL from the database connection is not overriden – otherwise you would never be able to create a short term dynamic user.
if I create a db role that has a 60 seconds TTL … it’ll expire in 60 seconds no matter what my auth token is set to or how much time I have left on my auth token (if it’s less than both will expire).
Gosh, well, it’s nice to find that out. I guess I can stop attempting to have a productive interaction with @aram when I respond to something they said.
I joined this site a bit less than 3 months ago, and in that time, my only interaction with @aram has been in 14 public topics (best as I can find in my activity history), often disagreeing with them or correcting factual points:
And the only response I ever got in all of those from @aram was:
To be blocked simply for challenging incorrect information, is really quite shocking to me!
EDIT: It seems some community member or members decided to flag my post, made to defend my reputation in the face of an implied accusation of having done something worthy of being blocked, as “off-topic” - which seems like an abuse of the flags system to me. I invite anyone who has a problem with my posts to engage with me in reasonable discussion - rather than seeking to suppress my messages using false flags.