Token renewal not working

Hello,

I’m trying to renew my token:

import hvac
client = hvac.Client()
>>> client.lookup_token()
{'request_id': '7cf335f0-3a3a-235b-7c8e-4889a9de71e6', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'accessor': '<snip>', 'creation_time': 1588697647, 'creation_ttl': 2764800, 'display_name': 'token', 'entity_id': '', 'expire_time': '2020-06-06T16:54:07.09531292Z', 'explicit_max_ttl': 7884000, 'id': '<snip>', 'issue_time': '2020-05-05T16:54:07.095317025Z', 'meta': None, 'num_uses': 0, 'orphan': False, 'path': 'auth/token/create', 'policies': ['default', 'employee'], 'renewable': True, 'ttl': 2617094, 'type': 'service'}, 'wrap_info': None, 'warnings': None, 'auth': None}
>>> client.renew_token()
{'request_id': '202d6990-9cbd-89dc-d904-6953725417b6', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': None, 'wrap_info': None, 'warnings': ['TTL of "768h" exceeded the effective max_ttl of "726h57m58s"; TTL value is capped accordingly'], 'auth': {'client_token': '<snip>', 'accessor': '<snip>', 'policies': ['default', 'employee'], 'token_policies': ['default', 'employee'], 'metadata': None, 'lease_duration': 2617078, 'renewable': True, 'entity_id': '', 'token_type': 'service', 'orphan': False}}
>>> client.lookup_token()
{'request_id': '11fb3eef-f431-5d5c-cc0e-9b4a9c181c1f', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'accessor': '<snip>', 'creation_time': 1588697647, 'creation_ttl': 2764800, 'display_name': 'token', 'entity_id': '', 'expire_time': '2020-06-06T16:54:07.744004233Z', 'explicit_max_ttl': 7884000, 'id': '<snip>', 'issue_time': '2020-05-05T16:54:07.095317025Z', 'last_renewal': '2020-05-07T09:56:09.7440046Z', 'last_renewal_time': 1588845369, 'meta': None, 'num_uses': 0, 'orphan': False, 'path': 'auth/token/create', 'policies': ['default', 'employee'], 'renewable': True, 'ttl': 2617060, 'type': 'service'}, 'wrap_info': None, 'warnings': None, 'auth': None}

What I read from this:
TTL before renewal: 2617094
TTL after renewal: 2617060

Isn’t the purpose of token_renew() to increase the TTL? I set my explicit_max_ttl to 7884000.

It looks like your token has got an “explicit_max_ttl” set on it.

I don’t think Vault will let you renew past that.

1 Like

Thanks for the link. I’m still a little bit confused because the explicit_max_ttl in my test is significantly larger than the TTL’s. However this still might be the issue.

I tried to use a periodic token instead of a explicit_max_ttl and this appears to work:

>>> client.token = client.create_token(period="726h57m58s", policies=["admin"])
{'request_id': 'cf7eab0d-45c4-3948-6ba8-12b95d43cb35', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': None, 'wrap_info': None, 'warnings': None, 'auth': {'client_token': '<snip>', 'accessor': '<snip>', 'policies': ['admin', 'default'], 'token_policies': ['admin', 'default'], 'metadata': None, 'lease_duration': 2617078, 'renewable': True, 'entity_id': '', 'token_type': 'service', 'orphan': False}}
>>> client.lookup_token()
{'request_id': '5b5e5388-b109-e6d4-ecfc-6faad9f229a3', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'accessor': '<snip>', 'creation_time': 1589197352, 'creation_ttl': 2617078, 'display_name': 'token', 'entity_id': '', 'expire_time': '2020-06-10T18:40:30.440984891Z', 'explicit_max_ttl': 0, 'id': '<snip>', 'issue_time': '2020-05-11T11:42:32.440990499Z', 'meta': None, 'num_uses': 0, 'orphan': False, 'path': 'auth/token/create', 'period': 2617078, 'policies': ['admin', 'default'], 'renewable': True, 'ttl': 2615364, 'type': 'service'}, 'wrap_info': None, 'warnings': None, 'auth': None}
>>> client.renew_token()
{'request_id': '7d2c7ab6-949c-1c0a-8b62-367636180bd5', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': None, 'wrap_info': None, 'warnings': None, 'auth': {'client_token': '<snip>', 'accessor': '<snip>', 'policies': ['admin', 'default'], 'token_policies': ['admin', 'default'], 'metadata': None, 'lease_duration': 2617078, 'renewable': True, 'entity_id': '', 'token_type': 'service', 'orphan': False}}
>>> client.lookup_token()
{'request_id': '2875a889-c98f-ea80-0473-c7b6c12073be', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'accessor': '<snip>', 'creation_time': 1589197352, 'creation_ttl': 2617078, 'display_name': 'token', 'entity_id': '', 'expire_time': '2020-06-10T19:09:09.729992082Z', 'explicit_max_ttl': 0, 'id': '<snip>', 'issue_time': '2020-05-11T11:42:32.440990499Z', 'last_renewal': '2020-05-11T12:11:11.729992179Z', 'last_renewal_time': 1589199071, 'meta': None, 'num_uses': 0, 'orphan': False, 'path': 'auth/token/create', 'period': 2617078, 'policies': ['admin', 'default'], 'renewable': True, 'ttl': 2617075, 'type': 'service'}, 'wrap_info': None, 'warnings': None, 'auth': None}```

I can’t extend the ttl on my tokens either.

here’s a token that I created yesterday and has lost 22 hours of ttl.

# vault token lookup -accessor xxxxxxxxxxxxxxxxxxxxxxxxx | grep ttl
creation_ttl         768h
explicit_max_ttl     0s
ttl                  746h51m51s

So let’s extend by just 2h, back to 748 hours; less than the max ttl
of 768h which is hard wired into vault. Only the root access token
never expires.

# vault token renew -increment=2h -accessor xxxxxxxxxxxxxxxxxxxxxxxxx
Key                  Value
---                  -----
token_accessor       xxxxxxxxxxxxxxxxxxxxxxxxx
token_duration       2h

So how long till it expires now? Oh no, only 2 hours left to go!

# vault token lookup -accessor xxxxxxxxxxxxxxxxxxxxxxxxx | grep ttl
creation_ttl         768h
explicit_max_ttl     0s
ttl                  1h59m45s

Nope, that didn’t work so lets try going to 768h

# vault token renew -increment=768h -accessor xxxxxxxxxxxxxxxxxxxxxxxxx
WARNING! The following warnings were returned from Vault:

  * TTL of "768h" exceeded the effective max_ttl of "746h47m42s"; TTL value is
  capped accordingly

Key                  Value
---                  -----
token                n/a
token_accessor       xxxxxxxxxxxxxxxxxxxxxxxxx
token_duration       746h47m42s
token_renewable      true

Nope, we’re back where we started. I can’t even get to 748h, I get the
“ttl exceeded” error.

When you created the token, it got what looks like the “system max” TTL of 32 days. This is the maximum lifetime of the token from creation, regardless of renewal actions.

That means the token cannot live longer than 32 days from the point that you created it (it is more complicated than this because you can change configurations that might affect this, as the documentation shows, but let’s assume all other things are equal).

When you asked for a TTL incremented by 2h, that’s from the current time, not the end of the existing TTL; as per the documentation, so that’s the expected behavior.

You can’t increment the TTL by 768h from the current time because already about one day has passed since when you created the token. You can only “get back to” the remainder of the max TTL since issuance; in your case 746h47m42s.

Bottom line: the only tokens that that can be renewed indefinitely are periodic tokens. With the single special case exception of root tokens, all other tokens have a maximum TTL defined from their point of creation and cannot be renewed past that.

thanks nhw76
what you say was what I had concluded.

however, if you don’t know that, then reading the output of “vault token renew --help” or reading the web documentation

doesn’t really explain what “if already reached its maximum ttl” means in practise. they really need to emphasis that this is relative to when the token was created originally and you cannot make it outlive the original expiry date. The fact that I misunderstood and came here to write about it suggests that it could be clearer, sorry.

thanks for your time.

No problem. I tend to agree that you have to have really read and internalized the “Tokens” section in the “Concepts” documentation to get the full benefit from the rest of the documentation.

I think the documentation for the renew command should be amended as it’s misleading.

It should emphasise that you can NEVER extend the life of an accessor token beyond the date/time it would originally have expired.

come to think of it, what IS the point of the renewal function if you can’t renew a token in the way I expected?
it should be called “reduce the ttl to a new value” instead!

I think you’re still misunderstanding: the token has a TTL which you set when you create it, and a maximum TTL. The two are not the same; ref. token create docs.

If you want a token to be valid for a day, and to be renewable by a day each time, you can do that. You set the initial TTL to 1d, and you renew with increment of 1d. It will then be renewable repeatedly up to the the max TTL, which is either derived from the system maximum and the mount options etc, or the explicit max TTL you set when you created the token.

“want a token to be valid for a day, and to be renewable by a day each time, you can do that. You set the initial TTL to 1d, and you renew with increment of 1d”

can you provide a worked example of that because now I am really confused. Why is it that creating with initial ttl of 1d is any more renewable than one created with 768h/32d?

I am currently creating a token with the default/max ttl of 768h or 32 days and the ttl is also 768h. After one day the default/max ttl has now diminished to reflect the loss of a day, and I cannot renew back up to the full 768h, so the token will expire on the calendar day/time as first created. You already said I cannot renew past that.

ok, I re-read…
I think what you’re saying is that I can create a token with a ttl of 1 day and I can renew it 31 times until the max ttl has expired?
so that doesn’t solve the problem.
I don’t want to use the non-expiring root accessor token, but it looks as if I have no choice if I want a token that doesn’t expire.
I am happy to revoke tokens if I feel they have been compromised.
Can I create a new root token with lower privileges, so that I have a non-expiring one?

If you want a token that can be renewed indefinitely, it needs to be a periodic token, as mentioned above.