Ah, nice idea, thank you… Trying it, though, and it just happily accepts whatever interval I give it, printing out:
# vault token renew -increment=99999h
Key Value
--- -----
token <snip>
token_accessor <snip>
token_duration 72h
token_renewable true
token_policies ["default" $JOB_POLICY "nomad-cluster"]
identity_policies []
policies ["default" $JOB_POLICY "nomad-cluster"]
token_meta_NodeID d5425927-48ff-91cf-fb12-c58c6e40fc1f
token_meta_Task $TASK
token_meta_TaskGroup $TASKGROUP
token_meta_AllocationID 8bf14fd5-6416-6ee6-07f8-1b19e7240af2
token_meta_JobID $JOB
token_meta_Namespace n/a
Doing a token lookup again after this command does indeed show the last_renewal, last_renewal_time, and expire_time fields have been updated with everything else looking the same at a glance.
Maybe this is a bug. This is the only example I’ve seen like this so far, but I haven’t looked hard either.
It seems to be acting like a periodic token with no expiry as long as renewal occurs, but I see no indication it’s actually periodic.