Identify the vault role creating tokens

Hello All,

We have a situation where we have close to 2.5 million active tokens in vault and close to 1.7 million of tokens which are about to expire. Is there a way to figure out from vault cli or access logs of vault through which we can figure out which role is creating these many tokens

If you haven’t already, I would suggest setting up an audit device and monitor for request.path="auth/*/login" and request.path="auth/token/create*"

The information within the records should help you identify who/what is creating the tokens. I’d also suggest reviewing your default and max TTL settings so that the tokens expire within a timeframe reasonable within your organization (these settings can be configured at the cluster level, the auth mount level, or the role level (ex. AppRole) - use what makes sense for your org).