hi folks, is there an api or command to verify the effective system max_lease_ttl on vault?
want to make sure if the settings in the hcl file have been picked up
Also is there a way to change the system max_lease_ttl without modifying the hcl file?
$ vault read sys/auth/token/tune
Key Value
--- -----
default_lease_ttl 768h
description token based credentials
force_no_cache false
max_lease_ttl 768h
token_type default-service
Yes and no. No because everything will default to that value, however you can override that value per auth type so sort of yes. I have to warn you that this isn’t something you want to change often. It should be a static value and should not be changed.
$ vault write sys/auth/token/tune default_lease_ttl=120h max_lease_ttl=120h
Success! Data written to: sys/auth/token/tune
$ vault read sys/auth/token/tune
Key Value
--- -----
default_lease_ttl 120h
description token based credentials
force_no_cache false
max_lease_ttl 120h
token_type default-service
1 Like
Thank you so much for the reply.
It looks like sys/auth/token/tune is pertaining to auth method only.
It honors “vault auth tune -max-lease-ttl=8760h token/” and NOT the value in the config file. Not the Vault server’s globally configured maximum lease TTL, which is what wondering where I can get.
If we change the HCL file, can this value be taken into effect without restarting the Vault nodes? Would a SIGHUP signal honor the reload of configs?
Yes, a SIGHUP would re-read the config and restart the process. If the node is a leader node, an election would be forced immediately, otherwise it’s possible one may happen anyway, so don’t do this very quickly across your nodes wait a few minutes in between.