We have so many accessors that calling vault list auth/token/accessors returns with a
Error listing auth/token/accessors/: context deadline exceeded error.
I believe I can make the following change but I am not sure it will work as time goes on.
If there was a way to paginate the results it would allow for less intensive queries when pulling all the accessors. The basis of this question stems from a previous question I posted.
Hi, Michael. Unfortunately, I ran into the same problem. There is not really a good way today to list all accessors (or all entities) as the number gets large. It’s definitely an area of concern for use cases like yours of doing entitlement reporting.
The best way to monitor this today is to enable the audit log and monitor the audit log-- the hashed version of every accessor appears there, or you can configure the accessors to appear unhashed. The policies list in the auth section of a login response will tell you whether a root policy is present or not.
You can also use the usage metrics introduced to the telemetry, in Vault 1.5, to get a count of tokens by policy (up to 500 policies) or by other labels. This may provide a quick way to telling whether there are any outstanding root tokens, but not unfortunately identifying the specific tokens.
Thank you for the response. I have not tested the https://www.vaultproject.io/docs/configuration#default_max_request_duration config change which could help with my problem but I am specifically wanting all tokens that have the root policy attached so I can get information for an audit. This is actually a very small number, 4 or 5 is what we expect but we have to perform the query to validate. We do need to get the specific tokens for our case.
I was able to list them but I think I got lucky in that the query was able to complete before the timeout.
Did someone found a workaround for this?
As I understand it, pagination is not on their roadmap so we may be waiting for that but they are aware of the request. Apparently, the enterprise version can do namespaces that would help with doing this kind of query in a limited scope but it is not in the OSS version.