Vault Token Expiring

dutsmiller · December 17, 2020, 9:58pm

I have a workflow wherein I am generating Vault tokens via terraform. While I am setting both the ttl and period arguments to “768h”, the tokens seem to disappear after 20 minutes. I’ve tried multiple policy assignments (including no policies), tried with and without the default policy assignment, with and without period (only ttl) but no matter what I try, the token always gets revoked after 20 minutes. I’m not sure if it’s important, but the token is revoked regardless of whether or not it’s been used.

Here is a code snippet for how I am creating the token:

resource “vault_token” “example” {
period = “768h”
ttl = “768h”
}

output “token” {
value = vault_token.example.client_token
}

Any help would be appreciated as I’m a bit puzzled at the moment

jlj7 · December 17, 2020, 10:13pm

Hi! Just thinking out loud here, but, as you aren’t creating orphan tokens, isn’t each one you create this way tied to the TTL of the (parent) token Terraform is using? How are you creating that token?

dutsmiller · December 17, 2020, 10:41pm

For this test, the token I’m using with the terraform provider is the initial root token.

dutsmiller · December 18, 2020, 12:24pm

I ran some more tests with both terraform and using the vault cli.

Via the cli (using command: vault token create -policy=policy-terraform-azure-us-infrastructure-nonprod), the token does NOT expire prematurely.

via api
Key Value

accessor V9VscJA4BKClDV39u9dbw4DO
creation_time 1608249503
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2021-01-18T18:58:23.9558101-05:00
explicit_max_ttl 0s
id s.qFidqi9u1YMbvHx1G7pl86tm
issue_time 2020-12-17T18:58:23.9558243-05:00
meta
num_uses 0
orphan false
path auth/token/create
policies [default policy-terraform-azure-us-infrastructure-nonprod]
renewable true
ttl 767h26m55s
type service

When creating the token via terraform, the it will be revoked after 20 minutes:

Key Value

accessor 9BIFNxQLNsySQMh1OmLJUM08
creation_time 1608258318
creation_ttl 768h
display_name token-token
entity_id n/a
expire_time 2021-01-18T21:25:18.9475961-05:00
explicit_max_ttl 0s
id s.RgoFkiKBbkMjmC1S9Qn3XYXm
issue_time 2020-12-17T21:25:18.9476091-05:00
meta
num_uses 0
orphan false
path auth/token/create
policies [default policy-terraform-azure-us-infrastructure-nonprod]
renewable true
ttl 767h40m45s
type service

I’m not seeing a difference between the two.

jlj7 · December 18, 2020, 2:06pm

Me either. I think you may have found a bug in the provider:

github.com/hashicorp/terraform-provider-vault

vault_token ttl

opened 01:42PM - 30 Nov 20 UTC

dlambiel

bug resource/auth_backend

### Terraform Version $ terraform -v Terraform v0.13.5 + provider registry.te…rraform.io/hashicorp/vault v2.16.0 ### Affected Resource(s) Please list the resources as a list, for example: - vault_token ### Terraform Configuration Files ```hcl resource "vault_token_auth_backend_role" "pki-gm" { role_name = "pki-gm" allowed_policies = [] token_period = 3600 renewable = true } resource "vault_token" "pki-gm-token" { role_name = "pki-gm" display_name = "pki-gm-token-terra" policies = [ gm-pki-dev-token ] } ``` ### Expected Behavior The token should be valid for 1h. ### Actual Behavior It expires after 20min. Exemple below: I loop with a `vault token lookup` on the generated token and after 20min, it expire. See below the token had still 40m of ttl, 1min later it has expired. ```bash # Token create through terraform Key Value --- ----- accessor Gx0dASNhWmc1E8G5Zp2GD4Ui creation_time 1606739359 creation_ttl 1h display_name token-pki-gm-token-terra entity_id n/a expire_time 2020-11-30T14:29:19.64065906+01:00 explicit_max_ttl 0s id s.tIW9gwWRt3PUMZGBNsqDsI9B issue_time 2020-11-30T13:29:19.640662139+01:00 meta <nil> num_uses 0 orphan false path auth/token/create/pki-gm policies [default gm-pki-dev-token] renewable true role pki-gm ttl 40m2s type service Mon Nov 30 13:49:17 CET 2020 Error looking up token: Error making API request. URL: POST http://gmadvau01.groupemutuel.ch:80/v1/auth/token/lookup Code: 403. Errors: * bad token Mon Nov 30 13:50:17 CET 2020 ``` but if I create a token via the vault binaries (using the same role), I get a token that expire after 60m. ```bash $ vault token create -policy gm-pki-dev-token -display-name "pki-gm-token" -role pki-gm #token created via vault binaries Key Value --- ----- accessor tbCc4neL8m464moOv9MYkcPF creation_time 1606737367 creation_ttl 1h display_name token-pki-gm-token entity_id n/a expire_time 2020-11-30T13:56:07.392754248+01:00 explicit_max_ttl 0s id s.XpscHwxcLIzSm1YeyuT3Kow6 issue_time 2020-11-30T12:56:07.392759365+01:00 path auth/token/create/pki-gm policies [default gm-pki-dev-token] renewable true role pki-gm ttl 59m36s ``` ### Steps to Reproduce Please list the steps required to reproduce the issue, for example: 1. `terraform apply`

dutsmiller · December 18, 2020, 3:37pm

great find, that seems like exactly what I’m experiencing.

weldrake13 · January 7, 2021, 3:38pm

IRRC, when terraform runs, it doesn’t actually use the token you set in the provider (regardless of if you set via env variable or directly etc), to actually write to vault / read.
Rather what it does is it uses that token, to generate a new token which has a shorter TTL (intermediate token) https://registry.terraform.io/providers/hashicorp/vault/latest/docs#max_lease_ttl_seconds .
This token acts like any other token, ie, if you create a child token of this token, then the child token will be linked to the TTL of the intermediate token.
You can therefore add the no_parent flag when creating your token : https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/token#no_parent
hope this helps

Topic		Replies	Views
Questions on Token TTL and Vault Best Practises Vault	3	787	December 3, 2021
Periodic Token not Renewing Vault	4	555	October 6, 2021
Auto-renewing AppRole token Vault vault	3	2692	January 31, 2022
Terraform Vault -> "vault_token" Vault	3	361	January 16, 2023
Token expired or invalidated before end of TTL Vault	3	517	April 19, 2021

Vault Token Expiring

Related topics