How to delete an accessor with no token which is not removed by tidy

Vault
1

We have a vault token accessor which is returned successfully in a lookup, but when we attempt to revoke the token vault returns a 400 token not found. We tried a tidy command but vault says it found no accessors without valid tokens. How can we clean up this accessor?

$ vault token lookup -accessor XXXXXXXXYYYYYYYYZZZZZZZZZ
Key                 Value
---                 -----
accessor            XXXXXXXXYYYYYYYYZZZZZZZZZ
creation_time       1685700500
creation_ttl        168h
display_name        token
entity_id           n/a
expire_time         2023-06-09T10:08:20.508020417Z
explicit_max_ttl    0s
id                  n/a
issue_time          2023-06-02T10:08:20.508034297Z
meta                [XXXXXXXXYYYYYYYYZZZZZZZZZ]
num_uses            -1
orphan              true
path                auth/token/create/XXXXXXX
policies            [XXXXXXXXYYYYYYYYZZZZZZZZZ]
renewable           true
role                xxxxxxxxxxxxx
ttl                 72h36m19s
type                service

revoke:

$ vault token revoke -accessor XXXXXXXXYYYYYYYYZZZZZZZZZ
Error revoking token: Error making API request.

URL: POST https://vault.example.com:8200/v1/auth/token/revoke-accessor
Code: 400. Errors:

* token not found

Tidy output:

2023-06-06T09:45:02.015Z [INFO]  token: beginning tidy operation on tokens
2023-06-06T09:45:02.098Z [INFO]  token: checking if accessors contain valid tokens: progress=500 percent_complete=53.88768898488121
2023-06-06T09:45:02.139Z [INFO]  token: number of entries scanned in parent prefix: count=1
2023-06-06T09:45:02.139Z [INFO]  token: number of entries deleted in parent prefix: count=0
2023-06-06T09:45:02.139Z [INFO]  token: number of tokens scanned in parent index list: count=9
2023-06-06T09:45:02.139Z [INFO]  token: number of tokens revoked in parent index list: count=0
2023-06-06T09:45:02.139Z [INFO]  token: number of accessors scanned: count=926
2023-06-06T09:45:02.139Z [INFO]  token: number of deleted accessors which had empty tokens: count=0
2023-06-06T09:45:02.139Z [INFO]  token: number of revoked tokens which were invalid but present in accessors: count=0
2023-06-06T09:45:02.139Z [INFO]  token: number of deleted accessors which had invalid tokens: count=0
2023-06-06T09:45:02.139Z [INFO]  token: number of deleted cubbyhole keys that were invalid: count=0
2023-06-06T09:45:02.139Z [INFO]  token: finished tidy operation on tokens
2

I was curious, so I had a look at the source code.

The key piece of information in your post is this:

This means that the token has run out of uses and should be revoked when a request that is currently executing finishes.

Except… if this has lasted long enough that you have to make a forum post about it, it seems like the request that used the last use of the token probably crashed in some way, leaving the token behind, stuck in this state.

I can’t see any provision in the source code for recovering from this condition.

It may be that the token does go away when it expires:

but whether it does or does not, I think you have good reason to open a bug report on Vault about it having got into this stuck state from which you cannot easily recover.

3

Oh, and regarding your post’s title:

How to delete an accessor with no token

Your accessor does have a token.

The lookup operation simply refuses to disclose it for security reasons.