Hello,
We have a service currently generating multiple tokens with no TTL and Max TTL for Testing purposes. By default, we have put a threshold of 30 tokens per hour on our monitoring, but I have questions of best practices when it comes to Vault:
There is no such thing as “no ttl” in vault – everything has a TTL (could be months long but it has a TTL). The only exception to that is the root token and hopefull you’re not generating root tokens over and over again, even for testing that’s a horrible idea because you’re not actually testing anything at the point.
vault token revoke will revoke tokens one at a time, there is no mechanism for mass revoking.
Hi Aram,
Thank you for your comment, would you have a list of recommend best practices we should be following when using Vault?
I assume one of the best practice is to always set a TTL on our approles. We will attempt to codify this and enforce this in a TFE Sentinel Policy when managing Vault resources in Terraform. Though this won’t stop it if resources are created on the API / CLI level unless we had Vault Enterprise with a Sentinel.
The most generic advice I can provide is that the TTL should be as short as actually needed. Also don’t confuse Max TTL with TTL… the Max TTL can be the maximum length of time a token is a valid for with renewals.