terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
vault_token ttl
Terraform Version
$ terraform -v Terraform v0.13.5
- provider registry.terraform.io/hashicorp/vault v2.16.0
Affected Resource(s)
Please list the resources as a list, for example:
- vault_token
Terraform Configuration Files
resource "vault_token_auth_backend_role" "pki-gm" {
role_name = "pki-gm"
allowed_policies = []
token_period = 3600
renewable = true
}
resource "vault_token" "pki-gm-token" {
role_name = "pki-gm"
display_name = "pki-gm-token-terra"
policies = [ gm-pki-dev-token ]
}
Expected Behavior
The token should be valid for 1h.
Actual Behavior
It expires after 20min. Exemple below: I loop with a vault token lookup on the generated token and after 20min, it expire. See below the token had still 40m of ttl, 1min later it has expired.
# Token create through terraform
Key Value
--- -----
accessor Gx0dASNhWmc1E8G5Zp2GD4Ui
creation_time 1606739359
creation_ttl 1h
display_name token-pki-gm-token-terra
entity_id n/a
expire_time 2020-11-30T14:29:19.64065906+01:00
explicit_max_ttl 0s
id s.tIW9gwWRt3PUMZGBNsqDsI9B
issue_time 2020-11-30T13:29:19.640662139+01:00
meta <nil>
num_uses 0
orphan false
path auth/token/create/pki-gm
policies [default gm-pki-dev-token]
renewable true
role pki-gm
ttl 40m2s
type service
Mon Nov 30 13:49:17 CET 2020
Error looking up token: Error making API request.
URL: POST http://gmadvau01.groupemutuel.ch:80/v1/auth/token/lookup
Code: 403. Errors:
* bad token
Mon Nov 30 13:50:17 CET 2020
but if I create a token via the vault binaries (using the same role), I get a token that expire after 60m.
$ vault token create -policy gm-pki-dev-token -display-name "pki-gm-token" -role pki-gm
#token created via vault binaries
Key Value
--- -----
accessor tbCc4neL8m464moOv9MYkcPF
creation_time 1606737367
creation_ttl 1h
display_name token-pki-gm-token
entity_id n/a
expire_time 2020-11-30T13:56:07.392754248+01:00
explicit_max_ttl 0s
id s.XpscHwxcLIzSm1YeyuT3Kow6
issue_time 2020-11-30T12:56:07.392759365+01:00
path auth/token/create/pki-gm
policies [default gm-pki-dev-token]
renewable true
role pki-gm
ttl 59m36s
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
-
terraform apply
Hey @dlambiel - Token period and ttl are not the same, please see https://www.vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls for more information on their specific details.
Despite not complaining or otherwise warning about it, the Token Auth backend role doesn't actually use the token_ttl value (according to the API docs here: https://www.vaultproject.io/api-docs/auth/token).
To set the TTL for the token, use the ttl parameter in the vault_token resource, like so:
resource "vault_token_auth_backend_role" "pki-gm" {
role_name = "pki-gm"
allowed_policies = []
token_period = 3600
renewable = true
}
resource "vault_token" "pki-gm-token" {
role_name = vault_token_auth_backend_role.pki-gm.role_name # use interpolation here
display_name = "pki-gm-token-terra"
ttl = 3600
policies = ["gm-pki-dev-token"]
}
Please try that out and let us know!
Thanks for your input. I had to remove the token_period from the role, as it was taking precedence over the ttl from the vault_token. But no luck. Still 20min.
Tue Dec 1 08:52:41 CET 2020
Key Value
--- -----
accessor 2U2B5hcPaZlPTfyqsiCLlRkb
creation_time 1606808070
creation_ttl 1h
display_name token-pki-gm-token-terra
entity_id n/a
expire_time 2020-12-01T09:34:30.155125434+01:00
explicit_max_ttl 0s
id s.OHWmfmPxVzidpBWOKXHbe9dy
issue_time 2020-12-01T08:34:30.155128337+01:00
meta <nil>
num_uses 0
orphan false
path auth/token/create/pki-gm
policies [default gm-pki-dev-token]
renewable true
role pki-gm
ttl 40m48s
type service
Tue Dec 1 08:53:41 CET 2020
Error looking up token: Error making API request.
I also tried 2h token or more, and I still get 20min.
I'm having the same problem. See here: https://discuss.hashicorp.com/t/vault-token-expiring/19012/4
Tokens created via the vault client do not exhibit this behavior, only the terraform provider.
I was able to make some progress on this.
In my provider block, I had to add the max_lease_ttl_seconds parameter:
provider "vault" {
address = "https://vault.foo.com:8200"
token = "s.abcdefghijklmnopqrstuvwxyz"
version = "= 2.15.0"
max_lease_ttl_seconds = 3600
}
When I then tried making a token, it would expire after an hour, vs. 20 minutes. This seems to be a feature (https://registry.terraform.io/providers/hashicorp/vault/latest/docs), however there is still an issue in that the setting isn't reflected in the displayed TTL when using vault lookup.
Here is an example. The vault lookup commands were run at approximately 5 second intervals. You can see the token go from a TTL of 767h85m to the disappearing altogether.
$ vault token lookup s.skKqdRUjyNWQKDX254Atyh3D
Key Value
--- -----
accessor fgfadFMlXUr5wnbOjfIJP5Uo
creation_time 1609874585
creation_ttl 768h
display_name token-token-test
entity_id n/a
expire_time 2021-02-06T14:23:05.3933624-05:00
explicit_max_ttl 0s
id s.skKqdRUjyNWQKDX254Atyh3D
issue_time 2021-01-05T14:23:05.3933725-05:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default policy-terraform-azure-us-infrastructure-nonprod]
renewable true
ttl 767h58m1s
type service
$ vault token lookup s.skKqdRUjyNWQKDX254Atyh3D
Key Value
--- -----
accessor fgfadFMlXUr5wnbOjfIJP5Uo
creation_time 1609874585
creation_ttl 768h
display_name token-token-test
entity_id n/a
expire_time 2021-02-06T14:23:05.3933624-05:00
explicit_max_ttl 0s
id s.skKqdRUjyNWQKDX254Atyh3D
issue_time 2021-01-05T14:23:05.3933725-05:00
meta <nil>
num_uses -1
orphan false
path auth/token/create
policies [default policy-terraform-azure-us-infrastructure-nonprod]
renewable true
ttl 767h58m
type service
$ vault token lookup s.skKqdRUjyNWQKDX254Atyh3D
Error looking up token: Error making API request.
URL: POST https://vault.tfe.prod.us.lnrisk.io:8200/v1/auth/token/lookup
Code: 403. Errors:
* bad token
I also tested the provider setting in the other direction. I set it to 120 seconds and saw the token expire after 2 minutes. In both tests, the displayed TTL began at 768h.
I ran a final test with the provider setting at 3600 seconds and created a token with a TTL of 2 minutes. The token showed a 2 minute TTL and expired after 2 minutes, so that scenario seems to be working.
I would suggest that token lookup should display whatever overriding background TTL exists as the TTL being displayed seems to be potentially inaccurate. If vault token lookup is going to display a TTL, it needs to be accurate. So in the case of the provider, if the max_ttl setting of the provider is lower than the desired ttl for the token being generated by the provider, the provider should either update the TTL to reflect the lower of the two, or throw an error stating that the resource parameters are invalid.
It has been some time, before I was able to test and the max_lease_ttl_seconds in the provider allow me to have token valid for more thant 20min.
The real missleading part is the TTL display on lookup. You have no way to understand why the token is expiring. Your suggestions would be a real improvment. Thanks for your input
I've been hitting this on and off and finally narrowed it down to the fact that my problematic, prematurely expiring tokens are the ones I create with terraform rather than manually. This seems like a big issue to me, is there any other workaround to be able to set TTL on individual tokens?
https://github.com/hashicorp/terraform-provider-vault/issues/1512#issuecomment-1175127261 Looks related
The situation is as follows:
- Terraform provider uses an intermediate token while communicating with Vault API, the token TTL is set to 20 minutes by default. https://registry.terraform.io/providers/hashicorp/vault/latest/docs#max_lease_ttl_seconds
- When creating the non-orphan token with Terraform or from vault cmd, the created token becomes a child of the token it was created from. So by default, Terraform provider tokens will expire with their parent after 20 minutes, no matter which TTL was set.
- When creating the same token with vault cli, the vault login most likely was made with the root token, so the root token doesn't have TTL and its child token will expire as defined on its TTL attribute.
- To achieve the expected behavior, you must create orphan tokens with no parent. https://developer.hashicorp.com/vault/tutorials/tokens/tokens#orphan-tokens
- Example with no_parent=true:
resource "vault_token_auth_backend_role" "pki-gm" {
role_name = "pki-gm"
allowed_policies = []
token_period = 3600
renewable = true
}
resource "vault_token" "pki-gm-token" {
role_name = "pki-gm"
display_name = "pki-gm-token-terra"
policies = [ gm-pki-dev-token ]
no_parent = true
}
I ran into this issue. Did all work arounds without success. Appreciate any help.
