What will happen if we lost the token which we were using in our application?

Tekchanddagar · December 14, 2022, 4:58am

Hello Team,
I am new in Vault and exploring it. I have setup 3 node vault cluster uisng ETCD storage (3 node for it as well) and successfully explore the Auto unseal also using AWS KMS.

Some question arise in my mind and able to found the answer of them e.g:

We can generate new token with read-only permission and we can use them in our application.
We should never use root token.
If we lost the root token but have unseal key then we can generate new root token if required.
If we lost root token and unseal key also then we can’t do anything. With unseal key we can’t unseal vault.

But I have one more question and didn’t found the answer. Can you please help me?

Q. Let suppose we lost the token (read/write permission) which we are using in our application but we can generate new token using useal key. Can we read old data which was created using old token?

My question might not be valid or good, sorry for that in advance.

Thank You

Joffrey · December 14, 2022, 4:07pm

You must have an “operator” policy. This operator (human) must have some permissions to write policies and operate on auth backends.
If you loose a token, the operator can generate a new one.

PS: consider using Approle for apps authentication

Topic		Replies	Views
Rekey without unseal keys Vault	0	36	September 20, 2024
Vault can be accessed without root token (or any token) Vault	5	1175	January 24, 2024
Generate new tokens without needing the root token, approle help somewhat related Vault	6	463	March 4, 2021
Token help - how to create and manage Vault	1	244	March 4, 2021
Missing recovery token of Vault deployed auto-unseal with AWS KMS Vault vault	4	634	February 20, 2022

What will happen if we lost the token which we were using in our application?

Related topics