Named key rotation

satunin · May 7, 2020, 2:23pm

Hi. I am using Vault v1.3.1
I created a named key like this:

vault write identity/oidc/key/kentity rotation_period=“15m” verification_ttl=“15m” allowed_client_ids=*

After that i checked Active Public Keys like this:

curl --request GET http://vault-service.vault-service:8200/v1/identity/oidc/.well-known/keys

and i saw one key with kid: 26adaed0-51e4-f1c4-7001-ef405e586ab3

after about 15 minutes I checked it again and saw the same key, but i expected two keys (rotated and old). Is it bug ?

after about 30 minutes(15+15) I checked it again and saw two keys with “kid”:“7df83bb3-13e9-ae43-a547-cd57a9d454e9” and “kid”:“c2c345bd-17e8-6b29-97a6-1412a3416a67” and no previos key with kid: 26adaed0-51e4-f1c4-7001-ef405e586ab3. Is it bug?

kalafut · May 7, 2020, 4:22pm

Hi. This may be a symptom of a bug that was fixed in 1.3.3 & 1.4.0: https://github.com/hashicorp/vault/pull/8412

satunin · May 8, 2020, 6:11am

Thanks a lot! will try the same with new version