How to set up a periodic token with unlimited renewal

rgarrigue · September 10, 2020, 7:00am

Hi there

I’m trying to get what’s suggested around here to work : a token with “unlimited” lifetime through approle auth method and periodic renewal. My idea was to get Ansible generate a token at instance bootstrap time, a cron will renew it while it live, it’ll disappear if the instance die.

Sadly, there’s no example in the article, and I can’t seems to get it right. First I created a couple of basic read/write & read-only policy on a kv v1 path already created, named “myapp_rw” and “myapp_ro”.

Then at approle creation

vault write auth/approle/role/myapp \
    bind_secret_id=false \
    token_max_ttl=0 \
    token_period=24h \
    token_policies=myapp_ro \
    token_renewable=true

Vault answer code 500 : at least one constraint should be enabled on the role.

I guess I can try every settings in the doc until the error go, but I was pretty convinced this is the way it should look like. Anyone can explain me what I’m doing wrong, and/or provide me an example ?

Thanks in advance !

robertraybarnes · September 10, 2020, 7:24am

I will double check but I think for periodic tokens you shouldn’t set the max TTL.

jeroenjacobs79 · September 10, 2020, 7:28am

Judging from what I see here: https://github.com/deblasis/vault/blob/6fb8fdbb3960a6f4711fdd815e2942154751ea00/command/agent/approle_end_to_end_test.go#L714

I would say you need to add either:

secret_id_bound_cidrs
token_bound_cidrs

One of those seem to be required if bind_secret_id is not enabled.

robertraybarnes · September 10, 2020, 8:19am

I will check that out but in terms of the periodic token (one that automatically renews), the max ttl should not be set: https://www.vaultproject.io/docs/commands/token/create.html#period

rgarrigue · September 10, 2020, 8:52am

Thanks @jeroenjacobs79, I added the one making the most sense, token_bound_cidrs=172.16.0.0/12, it fixes the approle creation.

rgarrigue · September 10, 2020, 9:04am

Reading around, I saw there was a difference between “max ttl” and “explicit max ttl”. The doc you link to is about token, which may be confusion talking about approle. But it does says

If a ttl is not associated with the token, then it cannot be renewed

And

Periodic tokens do not expire as long as they are actively being renewed (unless -explicit-max-ttl is also provided).

The approle api doc is here https://www.vaultproject.io/api-docs/auth/approle#token_ttl and says

token_ttl (integer: 0 or string: "") - The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.

Plus

token_max_ttl (integer: 0 or string: "") - The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.

And

token_explicit_max_ttl (integer: 0 or string: "") - If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

I’m puzzled about its interest of token_max_ttl. I guess I won’t specify it, just to be sure.

rgarrigue · September 10, 2020, 9:06am

Ok, I found a clearer explanation avout mx ttl & explicit max ttl here https://www.vaultproject.io/docs/concepts/tokens#the-general-case.

Better not specifying the max ttl then.

Thanks for bouncing idea, I’ll go on experimenting with this.