How to lookup / delete approle secret_id with vault cli

Hello,

I am looking for a way to:

  1. look up the specific details (e.g. ttl) of an approle secret_id
  2. deleting that secret_id with the vault CLI

For (1) there doesn’t seem to be an API endpoint. For (2) I know you can do I through the API, but I have been unsuccessful reproducing this with vault CLI. As is shown below:

❯ vault list  auth/approle/role/jenkins/secret-id
Keys
----
0ebde283-db9b-61bf-93cb-75f4a9619486
c368636e-e1c7-6235-1e37-8d97cde8d501

❯ vault delete auth/approle/role/jenkins/secret-id/destroy secret_id=0ebde283-db9b-61bf-93cb-75f4a9619486
Success! Data deleted (if it existed) at: auth/approle/role/jenkins/secret-id/destroy

❯ vault write auth/approle/role/jenkins/secret-id/destroy secret_id=0ebde283-db9b-61bf-93cb-75f4a9619486
Success! Data written to: auth/approle/role/jenkins/secret-id/destroy

❯ vault list  auth/approle/role/jenkins/secret-id
Keys
----
0ebde283-db9b-61bf-93cb-75f4a9619486
c368636e-e1c7-6235-1e37-8d97cde8d501

Thanks in advance

1 Like

Are you trying to revoke access before the TTL runs out? If so, I don’t believe you can. Secret-id isn’t exactly a lease to be revoked or a store to be deleted. It’s a credential (a password if you will).

The closest thing I can think of is setting the secret_id_num_uses=1 and revoking the token or token_accessor that came from that auth. That’ll cut off access, as they would need to request a new secret-id to be able to auth again.

If there would be a TTL then I am happy to wait. But these are secret-ids without a TTL.
As you know approles can be used in many different ways and it takes some time to configure them according to ‘better’ practices. But by the time you are at that point you can have already plenty of unexpired secret-ids. :-D.

I am interested in understanding what you mean. I am sorry, but can’t fully understand:

  • setting secret_id_num_uses is something that is done when generating, if I am correct.
  • looking at Tokens | Vault | HashiCorp Developer is I think what you are trying to say. I’ll see what it can do. I haven’t really played with the accessors so I need to see that it does.

thank you!

1 Like

It’s done during role creation, all the secret ids generated from that role would have the same num of uses set. Normally you can login to the approle multiple times and get a new token until the TTL runs out. With this you can only authenticate once, then the user would need to get a new secret-id to be able to auth again.

After you auth to approle you get a token, that’s the token I’m referring to.

1 Like

Looks like you can Destroy an existing secret ID per the API guide:

The API endpoint should translate to the command vault write auth/approle/role/<MY_ROLE_NAME>/secret-id/destroy secret_id=<MY_SECRET_ID> where <MY_ROLE_NAME> and <MY_SECRET_ID> are replaced with your values.

2 Likes

Apparently, secret-id can be managed (destroyed) only through their accessors, which are the values given in place of the secret-ids when listed.

List the secret-ids of a role will give the accessors:

vault list auth/approle/role/<MY_ROLE_NAME>/secret-id
Keys
----
0370ed98-e965-719f-73d2-76782b77520a

The accessors can be used with the destroy secred-id accessor endpoint, which translates in the CLI to:

vault write auth/approle/role/<MY_ROLE_NAME>/secret-id-accessor/destroy secret_id_accessor=0370ed98-e965-719f-73d2-76782b77520a
Success! Data written to: auth/approle-dev/role/jenkins/secret-id-accessor/destroy  

Hope that helps,
Fabrice

5 Likes