vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Vault does not support interacting with multiple vault servers nor storing separate tokens for each.

Open ipaqmaster opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

vault login generates ~/.vault-token for whichever vault server you specified via -address or via the VAULT_ADDR environment variable. But if you try to access a different vault server it'll try to use the key from the initial vault server and has no sense of token organization.

Describe the solution you'd like

It would be pretty outstanding if .vault-token could describe multiple vault server addresses in its token file so you can login per site.

Such as:

$ cat ~/.vault-token
vault.domainone.net=s.ADOIVNDQoinqoig294nmagof
vault.domaintwo.com.au=s.GAkf0e2mv09qegfm901vm9e

And so forth for each VAULT_ADDR you've used in a session.

Describe alternatives you've considered

Other than modifying vault itself:

  1. Referencing a variable $VAULT_TOKEN for every single run
  2. Vault wrapper scripts to achieve the same effect.

Explain any additional use-cases Any human being interacting with more than one vault cluster having to work with more than one token for multiple vault remotes.

Additional context Add any other context or screenshots about the feature request here.

ipaqmaster avatar Dec 14 '22 01:12 ipaqmaster

I too would like to see this feature optionally available.

I am aware that Vault provides an extension point, and even suggests a script a user can copy/paste to gain similar functionality: https://developer.hashicorp.com/vault/docs/commands/token-helper

However, I think it's such a standard thing to want to do, it is an odd decision to force this to remain outside core Vault.

I'm pretty sure there have been other issues opened by others in the past asking for the same.

maxb avatar Dec 17 '22 11:12 maxb

#1937 #247 #2092 #7159 all show further interest in a more flexible token management capability in Vault core.

https://github.com/joemiller/vault-token-helper is an example of what people have come up with as an external tool.

Considering I have my own hacky shell scripts in this direction at work, and would love to have a simpler option to more easily share with colleagues, I'd be interested in working on a PR, if we could agree a direction that HashiCorp are happy with.

One caveat: varied tokens based on VAULT_ADDR is not always what people want. I myself have been known to update VAULT_ADDR whilst intentionally using the same token, to test behaviour differences between different Vault nodes in a cluster, or between direct and via-loadbalancer access.

We would need to be sensitive to this use case and general compatibility concerns, in making any change.

maxb avatar Dec 17 '22 11:12 maxb

I would need this to support different organizations with my PC and laptop :smile:

cwchristerw avatar Aug 04 '23 21:08 cwchristerw

Create your own wrapper or use something like:

aphorise avatar Sep 19 '23 10:09 aphorise

I ended up writing my own that month thanks. Still weird for vault to actively not implement support for managing multiple tokens per vault_addr.

ipaqmaster avatar Sep 19 '23 10:09 ipaqmaster

@divyaac Why this issue was closed?

cwchristerw avatar Apr 17 '24 16:04 cwchristerw