we are facing a problem on how to detect when an authentication (client_token) token is for one time use.
Returned data by vault, when the authentication is done, does not contain information about the maximum number of uses a token has. It contains information about the “lease_duration”, but not the “num_uses” value.
For obtaining that information, the lookup-a-token-self endpoint can be used. But, obviously, invoking this endpoint consums a “use” of the token.
So, for one-time tokens this solution does not work.
Is there another option for knowning the “num_uses” value for a token?. We can open also a feature request at Github repo, we wanted to add a question before that.
For reproducing the issue, next app role can be used:
vault write auth/approle/role/onetime-token \ token_policies="apps" \ secret_id_ttl=0 \ token_num_uses=1 \ token_ttl=10s \ token_max_ttl=30s \ secret_id_num_uses=0