As result of vault initialization, a root token without expiration is generated. Can this root token be disabled? If yes, what’s the procedure for doing so?
Our desire is to:
Yes, you’re on the right track, it’s definitely a best practice to revoke the root token. We touch on it in our Production Hardening Guide under “Avoid Root Tokens”. It also includes a couple tips like how to regenerate a root token if needed.
Regarding using time-bound highly privileged tokens through a different auth method, that may be tenable if you think they’ll be needed quite regularly. However, if you’d like to be safer with them and it works for your use case, it may be better to go through the root token generation process on the occasions when they’re needed.
Hi Shang,
You should be able to simply revoke the root token. That is actually our recommendation, see https://learn.hashicorp.com/vault/operations/production-hardening, “Avoid Root Tokens”.