I’m trying to get what’s suggested around here to work : a token with “unlimited” lifetime through approle auth method and periodic renewal. My idea was to get Ansible generate a token at instance bootstrap time, a cron will renew it while it live, it’ll disappear if the instance die.
Sadly, there’s no example in the article, and I can’t seems to get it right. First I created a couple of basic read/write & read-only policy on a kv v1 path already created, named “myapp_rw” and “myapp_ro”.
Then at approle creation
vault write auth/approle/role/myapp \ bind_secret_id=false \ token_max_ttl=0 \ token_period=24h \ token_policies=myapp_ro \ token_renewable=true
Vault answer code 500 : at least one constraint should be enabled on the role.
I guess I can try every settings in the doc until the error go, but I was pretty convinced this is the way it should look like. Anyone can explain me what I’m doing wrong, and/or provide me an example ?
Thanks in advance !