Hi there
I’m trying to get what’s suggested around here to work : a token with “unlimited” lifetime through approle auth method and periodic renewal. My idea was to get Ansible generate a token at instance bootstrap time, a cron will renew it while it live, it’ll disappear if the instance die.
Sadly, there’s no example in the article, and I can’t seems to get it right. First I created a couple of basic read/write & read-only policy on a kv v1 path already created, named “myapp_rw” and “myapp_ro”.
Then at approle creation
vault write auth/approle/role/myapp \
bind_secret_id=false \
token_max_ttl=0 \
token_period=24h \
token_policies=myapp_ro \
token_renewable=true
Vault answer code 500 : at least one constraint should be enabled on the role.
I guess I can try every settings in the doc until the error go, but I was pretty convinced this is the way it should look like. Anyone can explain me what I’m doing wrong, and/or provide me an example ?
Thanks in advance !
I will double check but I think for periodic tokens you shouldn’t set the max TTL.
Judging from what I see here: https://github.com/deblasis/vault/blob/6fb8fdbb3960a6f4711fdd815e2942154751ea00/command/agent/approle_end_to_end_test.go#L714
I would say you need to add either:
secret_id_bound_cidrs
token_bound_cidrs
One of those seem to be required if bind_secret_id
is not enabled.
I will check that out but in terms of the periodic token (one that automatically renews), the max ttl should not be set: https://www.vaultproject.io/docs/commands/token/create.html#period
Thanks @jeroenjacobs79, I added the one making the most sense, token_bound_cidrs=172.16.0.0/12
, it fixes the approle creation.
Reading around, I saw there was a difference between “max ttl” and “explicit max ttl”. The doc you link to is about token, which may be confusion talking about approle. But it does says
If a ttl is not associated with the token, then it cannot be renewed
And
Periodic tokens do not expire as long as they are actively being renewed (unless -explicit-max-ttl is also provided).
The approle api doc is here AppRole - Auth Methods - HTTP API | Vault | HashiCorp Developer and says
token_ttl
(integer: 0 or string: "")
- The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.
Plus
token_max_ttl
(integer: 0 or string: "")
- The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.
And
token_explicit_max_ttl
(integer: 0 or string: "")
- If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl
and token_max_ttl
would otherwise allow a renewal.
I’m puzzled about its interest of token_max_ttl
. I guess I won’t specify it, just to be sure.
Ok, I found a clearer explanation avout mx ttl & explicit max ttl here https://www.vaultproject.io/docs/concepts/tokens#the-general-case.
Better not specifying the max ttl then.
Thanks for bouncing idea, I’ll go on experimenting with this.
1 Like