How to remove an accessor with TTL=0s and renewable=false

bash-4.4# vault token lookup -tls-skip-verify -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Key                  Value
---                  -----
accessor             HBHoY1DLWf0o6moTLYhFdA8Y
creation_time        1604473771
creation_ttl         24h
display_name         kubernetes-sec-sip-tls-service-account
entity_id            e1d180c3-4140-8f64-6aff-38a7b863375b
expire_time          <nil>
explicit_max_ttl     0s
id                   n/a
issue_time           2020-11-04T07:09:31.407508153Z
last_renewal         2020-12-06T07:09:31.428385336Z
last_renewal_time    1607238571
meta                 map[role:sec-sip-tls-sub-ca-role service_account_name:sec-sip-tls-service-account service_account_namespace:cc service_account_secret_name:sec-sip-tls-service-account-token-2lz4c service_account_uid:1dffb1c9-1419-463f-a458-a47dbd7aadc0]
num_uses             0
orphan               true
path                 auth/kubernetes/login
policies             [default sec-sip-tls-sub-ca-policy]
renewable            false
ttl                  0s
type                 service

we got an accessor with TTL=0 and renewable false. Try to revoke-accessor throught api interface, we got error “HTTP 400, token not found”.

any idea? how to remove it?

vault version 1.4.2

Well, it’s an orphan, so there’s no parent to revoke. What are the details/capabilities of the token you’re authenticating with to run those commands?

bash-4.4# vault token lookup
Key                 Value
---                 -----
accessor            4TlbdUUBoEiLu2T5YplA3UOJ
creation_time       1600955122
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.r6JlL64F8o1Nh8LFY8yb9eLI
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service

I authorized as root


Why doesn’t vault clean it? TTL is 0.