Hello,
I was looking at the documentation related to periodic tokens and there’s something I don’t understand related to their TTL.
In the documentation it’s stated that:
. Outside of
root
tokens, it is currently the only way for a token in Vault to have an unlimited lifetime.
But when a period token expires, it’s gone, exactly like a normal token.
This is a period token:
root@vault-0:~# vault token lookup -accessor Ntn1MIDb8qeZRJubHznf90xh
Key Value
--- -----
accessor Ntn1MIDb8qeZRJubHznf90xh
creation_time 1666702899
creation_ttl 1m
display_name token
entity_id n/a
expire_time 2022-10-25T16:02:39.023450651+03:00
explicit_max_ttl 0s
id n/a
issue_time 2022-10-25T16:01:39.023469703+03:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
period 1m
policies [root]
renewable true
ttl 52s
type service
And this is a normal one (both with 1 minute period/ttl):
root@vault-0:~# vault token lookup -accessor O1GZr0HMxhFe8HQP1fHEEkUP
Key Value
--- -----
accessor O1GZr0HMxhFe8HQP1fHEEkUP
creation_time 1666702946
creation_ttl 1m
display_name token
entity_id n/a
expire_time 2022-10-25T16:03:26.727683+03:00
explicit_max_ttl 0s
id n/a
issue_time 2022-10-25T16:02:26.72769318+03:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [root]
renewable true
ttl 50s
type service
But you could renew both infinitely, right? So if that’s the case, what’s the use for period tokens?
P.S. I see you can create both period and normal tokens with an infinite period/ttl anyway.