Root token creation

SunSparc · July 3, 2020, 12:05am

I have been using Vault for several years now. This means that there are probably some old processes that I need to unlearn.

At work today we encountered a situation which necessitated our rotating a root token. Many moons ago, it was proper to create a new root token by running the vault token create command as a root user. This no longer seems to be the case. Running that command produced a token with these properties:

$ vault token lookup <token>
Key                 Value
---                 -----
accessor            <redacted>
creation_time       1593721464
creation_ttl        0s
display_name        token
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.<redacted>
issue_time          2020-07-02T20:24:24.656152361Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [root]
renewable           false
ttl                 0s
type                service

I noticed a few differences:

display_name: was set to token
orphan: was set to false
path: was set to auth/token/create
the issue_time field exists
the renewable field exists

I reviewed the documentation to refresh my memory and found some new procedures. I added some switches to my trusty old command and came up with this gem: vault token create -display-name=root -orphan. The result was something like this:

$ vault token lookup <token>
Key                 Value
---                 -----
accessor            <redacted>
creation_time       1593723598
creation_ttl        0s
display_name        token-root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.<redacted>
issue_time          2020-07-02T20:59:58.818646769Z
meta                <nil>
num_uses            0
orphan              true
path                auth/token/create
policies            [root]
renewable           false
ttl                 0s
type                service

This was better, but it still had differences from what a good root token should have. Further perusal of the documentation turned up this generate-root concept.

$ vault operator generate-root -init

$ vault operator generate-root
Encoded Token    <encoded-token>

$ vault operator generate-root -decode=<encoded-token> -otp=<one-time-password>
<new-root-token>

This resulted in a good solid looking root token:

vault token lookup 
Key                 Value
---                 -----
accessor            <redacted>
creation_time       1593724721
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.<redacted>
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service

I will just leave this here for posterity. Have a wonderful day.

DevOpsRob · July 3, 2020, 9:10am

amazing! - thanks for sharing @SunSparc

vishnucac · April 7, 2021, 1:00pm

Is there any APIs for decoding encoded-token in generate root token case scenario. I found that it can be achieved using below cmd.
vault operator generate-root -decode= -otp=

But I need APIs to decode the token, because I am outside the machine where vault is installed.

Can anybody help to find a solution?

Topic		Replies	Views
Toen Creation Default Vault	1	319	December 1, 2020
Generate new tokens without needing the root token, approle help somewhat related Vault	6	551	March 4, 2021
Vault cli: how to create orphan token with role Vault vault	4	2696	March 10, 2021
Non root token that can create new tokens with newly created policy Vault	5	403	March 15, 2023
Vault token renewal(auto unseal transit secrets engine) Vault	2	1132	May 31, 2021

Root token creation

Related topics