Periodic Token not Renewing

strocknar · October 5, 2021, 6:28pm

I have vault set up to auto-unseal using another vault server. I have created what I believe should be a renewable periodic token:

Key                  Value
---                  -----
accessor             fXXXXXXXXXXXXXXXXXXXXXXXXXi
creation_time        1633457637
creation_ttl         768h
display_name         token-delme
entity_id            n/a
expire_time          2021-11-06T18:13:57.686777872Z
explicit_max_ttl     0s
id                   s.XXXXXXXXXXXXXXXXZ
issue_time           2021-10-05T18:13:57.021630522Z
last_renewal         2021-10-05T18:15:35.686778002Z
last_renewal_time    1633457735
meta                 <nil>
num_uses             0
orphan               true
path                 auth/token/create/unsealer
period               768h
policies             [default unsealer]
renewable            true
role                 unsealer
ttl                  767h58m19s
type                 service

However, I can’t seem to renew said token:

WARNING! The following warnings were returned from Vault:

  * TTL of "767h59m28s" exceeded the effective max_ttl of "767h58m22s"; TTL
  value is capped accordingly

Key                  Value
---                  -----
token                s.XXXXXXXXXXXZ
token_accessor       fXXXXXXXXXXi
token_duration       767h58m22s
token_renewable      true
token_policies       ["default" "unsealer"]
identity_policies    []
policies             ["default" "unsealer"]

Command used to create the token:

vault token create \
  -display-name="delme" \
  -orphan=true \
  -period="768h" \
  -policy "unsealer" \
  -role="unsealer"

Unsealer policy:

# Allow operator to use Vault via Terraform.
# https://www.terraform.io/docs/providers/vault/index.html#token
path "auth/token/create" {
  capabilities = [ "update" ]
}

# Allow encryption for respective vault domain
path "unsealer/encrypt/vault.example.com" {
  capabilities = [ "update" ]
}

# Allow decryption for respective vault domain
path "unsealer/decrypt/vault.example.com" {
  capabilities = [ "update" ]
}

If I leave off the -role then I am able to renew it just fine. However, without that role the token cannot be used to authenticate. Any idea what I’m missing here?

mikegreen · October 5, 2021, 6:50pm

What is the config/params of the token role “unsealer”?

strocknar · October 5, 2021, 6:59pm

I’m not quite sure how to pull down/read what is actually stored in vault, but it is created with the following terraform:

resource "vault_token_auth_backend_role" "unsealer" {
  role_name        = "unsealer"
  allowed_policies = ["default", "unsealer"]
  orphan           = true
  renewable        = true
}

aram · October 6, 2021, 9:38am

I’ll have to test my answer, but the confusion with your token create is the role of the role parameter.

You “either” create a role and use that or you pick the parameters and values you want to use … you’re doing both so the role setup wins, all other parameters that you’re passing in are ignored (again would need to test).

I don’t believe you can lookup the current settings of a role you can lookup the token’s role via:

curl \
    --header "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/auth/token/roles/unsealer

This isn’t exactly an answer to your question, but IMHO unless you’re planning on doing hundreds of these trans tokens for unsealing there really is no point in creating a role. A token role is used to do shortcuts, in years of Vault admin experience, I have used them once.

I’ll test out what I think is going on and follow up later today.

EDIT: I remembered there is a use for role that isn’t available anywhere else for a token and that’s restricting create/renewal by CIDR blocks.

strocknar · October 6, 2021, 2:12pm

This is definitely the case and thank you for pointing that out. I was unaware that vault would look to the role instead of the token itself when determining if it was a periodic token. For future reference and anyone who stumbles upon the same issue, here is what I found:

Even though I had set a period on the token and that period showed up in vault token lookup s.XXXXX, this was not being honored by vault renew s.XXXXX

I created a role with the period setting:

  vault write auth/token/roles/delme - <<EOF
  {
    "allowed_policies": [
      "default",
      "unsealer"
    ],
    "name": "delme",
    "orphan": true,
    "period": "768h",
    "renewable": true
  }
  EOF

(to do this, I was able to copy the format of the old role with vault read -format json auth/token/roles/unsealer)

Creating a token with this role but without the extra settings (e.g. orphan and period) worked, but vault token lookup did not display a period for this token. However, vault renew was successfully able to renew the token.

Thank you all for your assistance!

Topic		Replies	Views
Vault token renewal(auto unseal transit secrets engine) Vault	2	1132	May 31, 2021
Vault Token Expiring Vault	6	1538	January 7, 2021
Transit autounseal tokens aren't renewing themselves Vault	7	3010	February 5, 2020
Key renewal for "Auto-unseal using Transit Secrets Engine" Vault	12	4235	September 20, 2021
Token used to access the Vault UI does not renew Vault	0	301	January 6, 2021

Periodic Token not Renewing

Related topics