Sys/expire/id/auth/aws/login full of entries ...?

I’m currently migrating from using Consul as the backend storage to the integrated storage. The migration process is listing all of the keys being copied.

It is taking a LONG time to copy keys under the path “sys/expire/id/auth/aws/login”. Should I be running any sort of cron process or similar to get Vault to clean up expired login keys so that this path doesn’t just continue to grow and grow and grow?

(I suspect that this might have been a contributory factor to why our Consul snapshots were occasionally breaking - the number of keys being stored was growing daily)

Looks like it might be related to this:

Vault may not be removing expired tokens from Consul · Issue #1815 · hashicorp/vault (github.com)

(except that is related to the app-id authenticator, not the aws authenticator :frowning: )

So it turns out that this was all my fault :slight_smile:

We use AWS IAM & EC2 authentication heavily and I wasn’t revoking the generated authentication tokens. These were (I guess by default) valid for a month so, under heavy usage, the number of tokens lying around waiting to expire was just growing.

I’m now going through all of our scripts to amend them to explicitly revoke any tokens once I’m done with them.

1 Like