Vault <> Consul secret engine and ACL token renew (?)


We are using the Vault <> Consul secret engine integration and leveraging the Consul ACL policies.

I’m trying to understand if the Consul ACL token can be renewed, and if so what is the recommended/suggested way - if that can be even said about a token renewal in this context

Here’s the setup:

  1. Initial setup as per Consul - Secrets Engines | Vault | HashiCorp Developer, using Vault 1.11.3 + Consul 1.10.0
  2. The integration is working - I am able to create an ACL token using vault read consul-engine/creds/consul-role and see it attached to it’s corresponding Role + Policy in Consul
  3. I’m trying to use the auth/token/renew API call with produced token from step 2 above like so against vault with the vault root token and giving the Consul ACL token as the targeted token to be refreshed like so:

curl -Lvv -XPUT --header "X-Vault-Token: <VaultRootToken>" -d '{"token": "<ConsulACLToken>"}'

the response I’m getting is ‘token not found’:

PUT /v1/auth/token/renew HTTP/1.1
User-Agent: curl/7.79.1
Accept: /
X-Vault-Token: reducated
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 400 Bad Request
    < Cache-Control: no-store
    < Content-Type: application/json
    < Strict-Transport-Security: max-age=31536000; includeSubDomains
    < Date: Mon, 21 Nov 2022 01:09:12 GMT
    < Content-Length: 31
    {“errors”:[“token not found”]}
  1. So the approach I took is to renew/refresh the Consul ACL token via the /v1/sys/leases/renew endpoint and providing the lease ID I got for the Consul ACL token from step 2 - which works p.s. I’ve also provided an increment value for the renewal for getting a new TTL per whats allowed

So back to the original question - is this a common/recommended way to renew the Consul ACL token or am I missing another way?

Thanks in advance

The Vault auth/token/renew APIs are solely for renewing Vault tokens - you can’t use them to renew any other kind of derived token or secret.

Using the lease ID as you’ve discovered, is the way Vault provides to extend the lifetime of such things.