Hello all! want to create two tokens, for read and write secrets

oscar.aparicio · June 9, 2022, 8:26am

Hi there!

Want to create two tokens. One to read, and one to write.

I have some policies done in a files, like this:

READ:

path “secret/*” {
capabilities = [“read”, “list”]
}

WRITE:

path “secret/*” {
capabilities = [“create”, “read”, “update”, “delete”, “list”]
}

I want this tokens only to operate with the secrets, and i want to set for some vaults, infinite duration, and some of them, with a 10 years, or 1 year duration, is this possible?

I have read some documentation about -period and -ttl examples, but i cannot see how to get this working.

Thanks for the help, and have a nice day.

aram · June 9, 2022, 8:38am

Well there are no such thing as infinite tokens (other than the root token). You can change the max ttl in your cluster configuration to anything you want – it isn’t recommended or best practice though. Hopefully it’s just you and your Vault otherwise I REALLY wouldn’t recommend doing this.

oscar.aparicio · June 9, 2022, 8:53am

Thanks for your fast response!

i have in my hcl config file 10h in max_ttl.

What is the limit time in a token created in this way?

vault policy write read read.hcl
vault token create -policy=read <parameters>

aram · June 9, 2022, 9:05am

$ vault token lookup 96ddf4bc-d217-f3ba-f9bd-017055595017
will give you the TTL of your token.

There are two TTLs on tokens a “default” and a “max” which are defined during the mount configuration. If default < max, then you can renew the TTL up to max.

oscar.aparicio · June 9, 2022, 9:17am

Tnx for your help Aram have a nice day.