We wanted a scenario where one server with long-lived, periodically renewed token issues single use tokens to others (saltstack master and minions).
This first long-lived token is created from root token.
Then we wanted to use that single use token to generate a certificate in Vault pki using https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate API call.
Pretty long time of response, and then HTTP 400: “Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.”
Certificate is generated, but not returned, so I cannot use it since I never received my private key. I can find it listing all certs, and it is already revoked (has revokeTime set).
Certificates generated using a time constrained token are working just fine and living after token expires (certificates are not revoked when token expires).
I would like to receive my generated certificate, that was the sole purpose of creating a single use token - so it cannot be used to generate anything else.
Only place that I found in code is here: https://github.com/hashicorp/vault/blob/master/vault/request_handling.go#L631, where response containing generated credentials is replaced with error message.
Is this a desired behavior, some sort of bug or my misunderstanding of things?