We have written a Powershell script to re-create our secret-ids from our deployment pipeline.
However, I have observed, in my testing, that the previous secret-id is still valid for logging in.
All of them are created with a TTL=0,
I seem to not be able to use the API call
/v1/auth/approle/role/approle/secret-id/destroy
We’re getting a permission denied. The approle I’m logged into when running this command is one that has this policy:
# Grant 'update' permission on the 'auth/approle/role/+/secret-id' path
path "auth/approle/role/+/secret-id" {
capabilities = [ "create", "update" ]
}
What other capabilities do I need to use the destroy functionality? Or can someone explain why the old secret-id continues to work?