Hello,
We are using the Vault <> Consul secret engine integration and leveraging the Consul ACL policies.
I’m trying to understand if the Consul ACL token can be renewed, and if so what is the recommended/suggested way - if that can be even said about a token renewal in this context
Here’s the setup:
- Initial setup as per Consul - Secrets Engines | Vault | HashiCorp Developer, using Vault 1.11.3 + Consul 1.10.0
- The integration is working - I am able to create an ACL token using
vault read consul-engine/creds/consul-roleand see it attached to it’s corresponding Role + Policy in Consul - I’m trying to use the
auth/token/renewAPI call with produced token from step 2 above like so against vault with the vault root token and giving the Consul ACL token as the targeted token to be refreshed like so:
curl -Lvv -XPUT --header "X-Vault-Token: <VaultRootToken>" -d '{"token": "<ConsulACLToken>"}' http://127.0.0.1:8201/v1/auth/token/renew
the response I’m getting is ‘token not found’:
PUT /v1/auth/token/renew HTTP/1.1
Host: 127.0.0.1:8201
User-Agent: curl/7.79.1
Accept: /
X-Vault-Token: reducated
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
- Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Mon, 21 Nov 2022 01:09:12 GMT
< Content-Length: 31
<
{“errors”:[“token not found”]}
- So the approach I took is to renew/refresh the Consul ACL token via the
/v1/sys/leases/renewendpoint and providing the lease ID I got for the Consul ACL token from step 2 - which works p.s. I’ve also provided an increment value for the renewal for getting a new TTL per whats allowed
So back to the original question - is this a common/recommended way to renew the Consul ACL token or am I missing another way?
Thanks in advance