Original setup did not set TTL's, now have 200k+ in sys/token/accessor and id

sharkannon · March 18, 2020, 4:24pm

When vault was first setup we didn’t set TTL’s (just left things at their default). Now in trying to clean things up and get it better performing, I’m trying to fix the TTL’s, but we have over 200k entriest in both sys/token/accessor and sys/token/id and I cannot clean them. I’ve run tidy and it reduced by about 15k but won’t clean up anymore.

Vault Version: 1.1.0 (Docker/Kubernetes)
Backend: Google Cloud Storage

Can I end up doing a gsutil rm on the path? Or would that corrupt secrets and the like too? (I cannot list using the CLI or HTTP API as it just times out).

jeff · March 18, 2020, 4:38pm

You can list accessors and then iterate through that list via lookup-accessor to revoke the ones you want via revoke-accessor.

sharkannon · March 18, 2020, 4:49pm

Unfortunately, I’ve tried that. I get:

{“errors”:[“1 error occurred:\n\t* failed to read object: context canceled\n\n”]}

when I try to read that endpoint.

jeff · March 18, 2020, 5:04pm

You may need to increase https://www.vaultproject.io/docs/configuration/listener/tcp/#inlinecode-max_request_duration-2 or the http timeout variables. Additionally make sure your client doesn’t time out on the client side. If using the Vault CLI see https://www.vaultproject.io/docs/commands/#vault_client_timeout

sharkannon · March 18, 2020, 5:38pm

Thx, I’ll see what I can do with that. Hopefully it’ll return something useful. I’ll get back to you.

sharkannon · March 18, 2020, 8:43pm

Ok, I was able to get a list of Accessors, but any time I try to revoke any of them, I get

Code: 400. Errors:
  * 1 error occurred:
      * invalid accessor

Using:
vault revoke token -accessor {{ id }}