Hi everyone,
I am currently trying to setup a service that uses the NewLifetimeWatcher
to renew it’s token.
Environment
- Vault API:
github.com/hashicorp/vault/api v1.9.2
- Golang:
1.20
Observations
- When doing some local testing with short ttl (e.g.
1m
,5m
,30m
) the renewer behaves fine:vault token renewed successfully at: 2023-07-18 08:16:56.659702289 +0000 UTC vault token renewed successfully at: 2023-07-18 08:17:39.307710154 +0000 UTC ...
- If the
ttl
is longer (e.g.768h
) the token seems to not be always renewed; which results in subsequent requests getting a403
of course and making my service fail (making creating & injecting a new token necessary)
Issues
The token is just sometimes expired without seeing anything useful in my logs.
- Is there any way to debug this properly? I unfortunately was not able to find any logging opportunity or similar in the
lifetime_watcher.go
(or anwhere else for that matter) - Could there be anything else wrong in the implementation (see code snippet below)
I am at least suspecting, that in thelifetime_watcher.go
either thecalculateSleepDuration()
Code Snippet
func main() {
watcher, err := lifetimeWatcher()
if err != nil {
logrus.Errorf("error setting up vault token lifetime watcher: %v", err)
return
}
go watcher.Start()
defer watcher.Stop()
go func() {
for {
select {
case err := <-watcher.DoneCh():
if err != nil {
logrus.Errorf("error when renewing vault token %v", err)
}
case renewal := <-watcher.RenewCh():
logrus.Infof("vault token renewed successfully at: %v", renewal.RenewedAt)
}
}
}()
scheduler.block()
}
func lifetimeWatcher() {
secret, err := client.Auth().Token().LookupSelf()
if err != nil {
return nil, err
}
if ok, _ := secret.TokenIsRenewable(); !ok {
return nil, fmt.Errorf("secret is not renewable")
}
var increment int64
if v, ok := secret.Data["creation_ttl"]; ok {
if n, ok := v.(json.Number); ok {
increment, err = n.Int64()
if err != nil {
return nil, err
}
}
}
// renew once on start as lookupSelf initially does not have auth info
s, err := v.client.Auth().Token().RenewSelf(int(increment))
if err != nil {
return nil, err
}
secret.Auth = s.Auth
return v.client.NewLifetimeWatcher(&api.LifetimeWatcherInput{
Secret: secret,
Increment: int(increment),
})
}
Thanks a lot.