Understanding periodic tokens

Hello,

I was looking at the documentation related to periodic tokens and there’s something I don’t understand related to their TTL.

In the documentation it’s stated that:

. Outside of root tokens, it is currently the only way for a token in Vault to have an unlimited lifetime.

But when a period token expires, it’s gone, exactly like a normal token.
This is a period token:

root@vault-0:~# vault token lookup -accessor Ntn1MIDb8qeZRJubHznf90xh
Key                 Value
---                 -----
accessor            Ntn1MIDb8qeZRJubHznf90xh
creation_time       1666702899
creation_ttl        1m
display_name        token
entity_id           n/a
expire_time         2022-10-25T16:02:39.023450651+03:00
explicit_max_ttl    0s
id                  n/a
issue_time          2022-10-25T16:01:39.023469703+03:00
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
period              1m
policies            [root]
renewable           true
ttl                 52s
type                service

And this is a normal one (both with 1 minute period/ttl):

root@vault-0:~# vault token lookup -accessor O1GZr0HMxhFe8HQP1fHEEkUP
Key                 Value
---                 -----
accessor            O1GZr0HMxhFe8HQP1fHEEkUP
creation_time       1666702946
creation_ttl        1m
display_name        token
entity_id           n/a
expire_time         2022-10-25T16:03:26.727683+03:00
explicit_max_ttl    0s
id                  n/a
issue_time          2022-10-25T16:02:26.72769318+03:00
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [root]
renewable           true
ttl                 50s
type                service

But you could renew both infinitely, right? So if that’s the case, what’s the use for period tokens?

P.S. I see you can create both period and normal tokens with an infinite period/ttl anyway.

Yes. But the point is that only a periodic token can be renewed forever, so long as you never let it completely expire.

No - try preemptively renewing the non-periodic token for a very long duration:

vault token renew -i 99999h

You will find it’s TTL is clamped to a maximum.

For a root token, that will be the max_lease_ttl from the Vault configuration file, or a compiled in default of 32 days if not set.

Periodic tokens exist to escape this limit in a controlled way.

That’s a special exception for root tokens only.

No other token is allowed an infinite TTL.

1 Like