Root token creation

I have been using Vault for several years now. This means that there are probably some old processes that I need to unlearn. :smile:

At work today we encountered a situation which necessitated our rotating a root token. Many moons ago, it was proper to create a new root token by running the vault token create command as a root user. This no longer seems to be the case. Running that command produced a token with these properties:

$ vault token lookup <token>
Key                 Value
---                 -----
accessor            <redacted>
creation_time       1593721464
creation_ttl        0s
display_name        token
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.<redacted>
issue_time          2020-07-02T20:24:24.656152361Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [root]
renewable           false
ttl                 0s
type                service

I noticed a few differences:

  • display_name: was set to token
  • orphan: was set to false
  • path: was set to auth/token/create
  • the issue_time field exists
  • the renewable field exists

I reviewed the documentation to refresh my memory and found some new procedures. I added some switches to my trusty old command and came up with this gem: vault token create -display-name=root -orphan. The result was something like this:

$ vault token lookup <token>
Key                 Value
---                 -----
accessor            <redacted>
creation_time       1593723598
creation_ttl        0s
display_name        token-root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.<redacted>
issue_time          2020-07-02T20:59:58.818646769Z
meta                <nil>
num_uses            0
orphan              true
path                auth/token/create
policies            [root]
renewable           false
ttl                 0s
type                service

This was better, but it still had differences from what a good root token should have. Further perusal of the documentation turned up this generate-root concept.

$ vault operator generate-root -init

$ vault operator generate-root
Encoded Token    <encoded-token>

$ vault operator generate-root -decode=<encoded-token> -otp=<one-time-password>
<new-root-token>

This resulted in a good solid looking root token:

vault token lookup 
Key                 Value
---                 -----
accessor            <redacted>
creation_time       1593724721
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.<redacted>
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service

I will just leave this here for posterity. Have a wonderful day.

2 Likes

amazing! - thanks for sharing @SunSparc

1 Like