Disable the initial root token

As result of vault initialization, a root token without expiration is generated. Can this root token be disabled? If yes, what’s the procedure for doing so?

Our desire is to:

  1. disable the initial root token
  2. exclusively use time-bound root tokens by using a different auth method with a low TTL instead of relying on the default root token which does not expire.

Yes, you’re on the right track, it’s definitely a best practice to revoke the root token. We touch on it in our Production Hardening Guide under “Avoid Root Tokens”. It also includes a couple tips like how to regenerate a root token if needed.

Regarding using time-bound highly privileged tokens through a different auth method, that may be tenable if you think they’ll be needed quite regularly. However, if you’d like to be safer with them and it works for your use case, it may be better to go through the root token generation process on the occasions when they’re needed.

1 Like

Hi Shang,

You should be able to simply revoke the root token. That is actually our recommendation, see https://learn.hashicorp.com/vault/operations/production-hardening, “Avoid Root Tokens”.

1 Like