Vault token with num_uses

Hello dear All,

I am creating new Vault token where I need to set “num_uses” : 3 and TTL 24H.
TTL value works fine for me, but when I add option “num_uses” :3 then I can login with token to the Vault but can not see any Vault data and getting Error :

"Ember Data Request GET /v1/sys/internal/ui/mounts returned a 403 Payload (application/json) [object Object] , Permission denied"

Also after logoff I can not login 2nd time with same token into vault.

I assume some policy for token is missing, any suggestions please?

Method I am using :

curl --insecure --header "X-Vault-Token:<TOKEN>" --request POST --data @payload.json https://<vault_address>/v1/auth/token/create

Response:

{“request_id”:“7cf941c2-6574-6949-fcb5-c70743e179fe”,“lease_id”:"",“renewable”:false,“lease_duration”:0,“data”:null,“wrap_info”:null,“warnings”:null,“auth”:{“client_token”:"",“accessor”:"",“policies”:["<my_policy>",“default”],“token_policies”:["<my_policy>",“default”],“metadata”:null,“lease_duration”:86400,“renewable”:true,“entity_id”:"",“token_type”:“service”,“orphan”:true}}

Thank you

Hi Marian,

The token_num_uses is decremented from an API call perspective. So you need to account for every action within the GUI that token will be performing.

For instance, just logging in via the UI will consume several including these endpoints:

  • auth/token/lookup-self
  • sys/internal/ui/resultant-acl
  • sys/capabilities-self
  • sys/internal/ui/mounts
  • sys/internal/ui/namespaces (if using enterprise)

So you’d need at least 5 or 6 uses available to do anything useful in the GUI.

However, as you navigate in the GUI that will consume several as well - such as listing secret mounts, listing roles, configurations, etc.

It adds up quick and if you want to restrict number of uses you’ll probably need to inspect the log files and account for all the enumerated and accessed paths as accessed by nature of the GUI.

2 Likes

Thank you Jeff for your answer, very helpful :blush: