How to revoke a token without knowing the token nor accessor

I got a few requests from colleagues who want me to provide them with a (periodic)token without an auth back-end. I’m fully able to do that but for me it is not clear how I can revoke those tokens in case there application is compromised.

In cases where I use an auth backend it is simple. I use short lived tokens with a limited lifetime. When an application is compromised, I remove the authentication of the application and the tokens will expire automatically. For long lived tokens, I don’t see how it could be done. The only location where there is a reference to which token is used is the compromised application and Vault itself. But so far, I didn’t find an efficient way to find the right token inside Vault. So revoking the correct token is very hard.

I know that every token has an accessor which is an unique identifier for the token. But because it is a random string it is not possible to search based on the accessor.
Every token also has a display-name which could give the token a more readable name. But as far as I see the display-name is not a mandatory field and is not really searchable. The only way I found to search on display-name is looping though all tokens and check the name. If you have a few million tokens this can’t be an efficient operation to do in an emergency situation.

1 Like