Vault PKI and single use tokens

Garagoth · December 13, 2019, 6:28pm

Hi,

We wanted a scenario where one server with long-lived, periodically renewed token issues single use tokens to others (saltstack master and minions).
This first long-lived token is created from root token.
Then we wanted to use that single use token to generate a certificate in Vault pki using https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate API call.

Results:
Pretty long time of response, and then HTTP 400: “Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.”
Certificate is generated, but not returned, so I cannot use it since I never received my private key. I can find it listing all certs, and it is already revoked (has revokeTime set).
Certificates generated using a time constrained token are working just fine and living after token expires (certificates are not revoked when token expires).

I would like to receive my generated certificate, that was the sole purpose of creating a single use token - so it cannot be used to generate anything else.

Only place that I found in code is here: https://github.com/hashicorp/vault/blob/master/vault/request_handling.go#L631, where response containing generated credentials is replaced with error message.

Is this a desired behavior, some sort of bug or my misunderstanding of things?

briankassouf · December 14, 2019, 3:13am

Hi,

Secrets generated in vault are bound to the lifetime of the Vault token that created them, which is why a token with a single use count cannot generate a leased secret. Time constrained tokens have this same characteristic. The certificate created by the expired token should be in the CRL (and have a revoke time set).

However since x509 certs allow you to encode a TTL in the cert (we recommend making this a small value) the PKI backend has a setting that allows you disable generating leases. Setting this to false should allow you to use single use tokens to create a certificate.

Hope this helps!

Garagoth · December 15, 2019, 12:07pm

I am fairly certain that certificated generated using a time constrained token DO function after token expires.
If they would expire, all of our certificates would stop working, which would mean total system malfunction… and we use only (so far) tokens that have expiration time up to 3 days max.

I just checked and we have generate_lease set to true. However certificates does not expire then token expires, which does contradict what docs say, and working system is a proof… (and no revocation time on them as well).

Changing it to false indeed allows me to generate a certificate and receive it alive, thanks for this hint.