Limit tokens to not being able to create more tokens with a longer lease time then themselves

Hi all,

in Vault, when creating a token which is valid for 30 seconds, you can login with that token and create another token with the max_ttl. The max_ttl can be greater than the 30 seconds the creator-token has.

Is there a way to limit this behaviour? I don’t want to create a token which has the capability of creating more tokens with a longer lease-time than themselves.

Thank you!


There is currently no way of limiting this behavior. The reason this is permitted is that it allows for scenarios such as a parent periodic token with a TTL of 30m to issue a non-periodic child token that’s valid for 1h. However, keep in mind that whenever a parent token is revoked, all child tokens are revoked as well, so a longer-lived child token might still be “capped” (albeit indirectly) by the shorter parent token’s TTL.