Token management
The Tokens tutorial demonstrated the lifecycle of Vault tokens. Remember that Vault persists the service tokens in the storage backend until they expire and Vault revokes them. Depending on the auth method, the generated service token varies in its size due to the amount of metadata attached to it. To avoid unused tokens from overtaking the storage memory, set an explicit token time-to-live (TTL) so that Vault will automatically revoke expired tokens.
Lab setup
To perform the tasks described in this tutorial, you need to have a Vault environment.
Refer to the Getting Started tutorial to install Vault.
Start a Vault
dev
server withroot
as the root token.Insecure operation
Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.
Export an environment variable for the
vault
CLI to address the Vault server.Login with the root token.
The Vault server is ready.
Configure the token TTL
When you create tokens or leases with no specific TTL values, the default value applies to them.
Create a token with default policy.
Notice that the token TTL (
token_duration
) is 768 hours although you did not provide the TTL value.Display the
token
auth method settings.The
token
auth method is the core method of authentication with Vault; therefore, Vault enables it by default while other auth methods must be enabled explicitly. Notice that thetoken_type
isdefault-service
.Note
The Default TTL and Max TTL of the
token
auth method is set tosystem
.Read the default TTL settings for token auth method.
The default token TTL (
default_lease_ttl
) and the max TTL (max_lease_ttl
) is set to 32 days (768 hours). This implies that the tokens are valid for 32 days from its creation whether an app is using the token or not.Tip
The Tokens tutorial demonstrated various parameters to control the token lifecycle; however, users often neglect to specify the token TTL.
You can override the default TTL on the
token
auth method itself so that Vault will revoke expired token in a reasonable amount of time.Set the default TTL to 8 hours and max TTL to 30 days (720 hours).
Read the configuration to verify.
Verification
Create a new token without specifying its TTL.
Tip
Tune any of the auth method configurations using the /sys/auth/<METHOD>/tune
endpoint to override the system defaults.
Get the token count
If the token TTL is set reasonably, Vault should not be storing many unused tokens.
Refer to the Vault Usage Metrics tutorial which demonstrates the Usage Metrics dashboard.
Get the service token counts.
Example output:
The example output shows that there are 5 service tokens. In reality, you may have hundreds of app instances connecting to Vault. Then it becomes more important to know how many tokens exist in the Vault's storage backend.
Note
Remember that Vault does not persist batch tokens. Therefore,
the sys/internal/counters/tokens
endpoint returns the number of service tokens
in Vault.