Questions on Token TTL and Vault Best Practises


We have a service currently generating multiple tokens with no TTL and Max TTL for Testing purposes. By default, we have put a threshold of 30 tokens per hour on our monitoring, but I have questions of best practices when it comes to Vault:

  • Do we have a way to revoke a list of tokens that are not used with the certain period of time?
  • We will definitely enforce the TTL on all future approles but I am wondering during major scaleup events, do we have quick way to clean up/revoke all?

There is no such thing as “no ttl” in vault – everything has a TTL (could be months long but it has a TTL). The only exception to that is the root token and hopefull you’re not generating root tokens over and over again, even for testing that’s a horrible idea because you’re not actually testing anything at the point.

vault token revoke will revoke tokens one at a time, there is no mechanism for mass revoking.

1 Like

Hi Aram,

Thank you for your comment, would you have a list of recommend best practices we should be following when using Vault?
I assume one of the best practice is to always set a TTL on our approles. We will attempt to codify this and enforce this in a TFE Sentinel Policy when managing Vault resources in Terraform. Though this won’t stop it if resources are created on the API / CLI level unless we had Vault Enterprise with a Sentinel.

The most generic advice I can provide is that the TTL should be as short as actually needed. Also don’t confuse Max TTL with TTL… the Max TTL can be the maximum length of time a token is a valid for with renewals.

1 Like