Original setup did not set TTL's, now have 200k+ in sys/token/accessor and id

Vault
1

When vault was first setup we didn’t set TTL’s (just left things at their default). Now in trying to clean things up and get it better performing, I’m trying to fix the TTL’s, but we have over 200k entriest in both sys/token/accessor and sys/token/id and I cannot clean them. I’ve run tidy and it reduced by about 15k but won’t clean up anymore.

Vault Version: 1.1.0 (Docker/Kubernetes)
Backend: Google Cloud Storage

Can I end up doing a gsutil rm on the path? Or would that corrupt secrets and the like too? (I cannot list using the CLI or HTTP API as it just times out).

2

You can list accessors and then iterate through that list via lookup-accessor to revoke the ones you want via revoke-accessor.

3

Unfortunately, I’ve tried that. I get:

{“errors”:[“1 error occurred:\n\t* failed to read object: context canceled\n\n”]}

when I try to read that endpoint.

4

You may need to increase https://www.vaultproject.io/docs/configuration/listener/tcp/#inlinecode-max_request_duration-2 or the http timeout variables. Additionally make sure your client doesn’t time out on the client side. If using the Vault CLI see https://www.vaultproject.io/docs/commands/#vault_client_timeout

5

Thx, I’ll see what I can do with that. Hopefully it’ll return something useful. I’ll get back to you.

6

Ok, I was able to get a list of Accessors, but any time I try to revoke any of them, I get

Code: 400. Errors:
  * 1 error occurred:
      * invalid accessor

Using:
vault revoke token -accessor {{ id }}