How to remove an accessor with TTL=0s and renewable=false

caclp · December 18, 2020, 6:58am

bash-4.4# vault token lookup -tls-skip-verify -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Key                  Value
---                  -----
accessor             HBHoY1DLWf0o6moTLYhFdA8Y
creation_time        1604473771
creation_ttl         24h
display_name         kubernetes-sec-sip-tls-service-account
entity_id            e1d180c3-4140-8f64-6aff-38a7b863375b
expire_time          <nil>
explicit_max_ttl     0s
id                   n/a
issue_time           2020-11-04T07:09:31.407508153Z
last_renewal         2020-12-06T07:09:31.428385336Z
last_renewal_time    1607238571
meta                 map[role:sec-sip-tls-sub-ca-role service_account_name:sec-sip-tls-service-account service_account_namespace:cc service_account_secret_name:sec-sip-tls-service-account-token-2lz4c service_account_uid:1dffb1c9-1419-463f-a458-a47dbd7aadc0]
num_uses             0
orphan               true
path                 auth/kubernetes/login
policies             [default sec-sip-tls-sub-ca-policy]
renewable            false
ttl                  0s
type                 service

we got an accessor with TTL=0 and renewable false. Try to revoke-accessor throught api interface, we got error “HTTP 400, token not found”.

any idea? how to remove it?

vault version 1.4.2

jlj7 · December 18, 2020, 8:03am

Well, it’s an orphan, so there’s no parent to revoke. What are the details/capabilities of the token you’re authenticating with to run those commands?

caclp · December 18, 2020, 9:05am

bash-4.4# vault token lookup
Key                 Value
---                 -----
accessor            4TlbdUUBoEiLu2T5YplA3UOJ
creation_time       1600955122
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.r6JlL64F8o1Nh8LFY8yb9eLI
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service
bash-4.4#

I authorized as root

caclp · December 19, 2020, 1:38am

help:disappointed:help:disappointed:help

caclp · December 19, 2020, 1:52am

Why doesn’t vault clean it? TTL is 0.