Does Approle secret ID TTL timeout when set to 0?

dahuang-purestorage · June 8, 2022, 12:57am

Hi I’m looking into using Approle authentication for our app. I am setting the secret ID ttl to 0, so I don’t need to update it.
I was wondering if the secret id ever expires after a long period of time or it lasts forever? I encounter this post on slackoverflow: app secret - How to use Hashicorp Vault's AppRole in production? - Stack Overflow.
Just want to double check since the default TTL was not discussed in the Approle Pull Authentication tutorial: AppRole Pull Authentication | Vault - HashiCorp Learn

Thanks!

maxb · June 8, 2022, 4:05am

secret_id_ttl of 0 does indeed mean unlimited.

aram · June 10, 2022, 8:41am

I’m a little confused, you’re using approle but don’t want to use your secret id? What’s the purpose of the approle then?

Maybe you mean you don’t want the approle to linger after use? If so you can set the use secret_id_num_uses to 1 … which means the secret id expires after a successful authentication (during the TTL). I have not test this, but my guess is that setting the TTL of a secret-id to 0 would be the same as not setting it and the TTL reverts to the default of cluster max-ttl.

maxb · June 10, 2022, 4:27pm

Not correct - 0 is unlimited for AppRole SecretIDs.

Topic		Replies	Views
AppRole with non expiry ttl for secret_id Vault	3	1202	December 29, 2022
Approle Secret ID Expires Before Expected Vault	2	1343	October 19, 2022
AppRole with non expiring service_id Vault	1	562	December 29, 2022
Feature Request: Ability to enforce strict "secret_id_ttl" defaults for AppRole that are not 0 (non-expiring, permanent) Vault	0	143	November 2, 2023
Is having a huge amount of AppRole secret IDs generated a problem Vault	5	366	September 6, 2022

Does Approle secret ID TTL timeout when set to 0?

Related topics