hashicorp-vault-plugin
hashicorp-vault-plugin copied to clipboard
Token expiry not respecting num_uses
Hey,
The changes in #138 allow the plugin to re-use a token up to its TTL, but this doesn't work if the token has a maximum number of uses, as it will continue to try and use the token even after it has been used up.
For example, we previously configured the generated tokens to have a single use, since a new token was generated for every request. This no longer works, as even with a short TTL the plugin will attempt to re-use the token.
It's also worth mentioning that even were the num_uses included in the expiry calculation, a single-use token may no longer be possible as I believe looking up token metadata counts against the number of uses:
https://github.com/jenkinsci/hashicorp-vault-plugin/blob/005818d4e7bf9e96e2d5fc7df20b7a9d8de595cb/src/main/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java#L47
Is it possible to have the plugin respect the num_uses of a token? Ideally it would also be possible to have single-use tokens but if not then that should at least be documented.
Thanks
Maybe we should treat single use tokens (num_uses=1) as special kind of tokens and do not worry about expiry in that case.
Single use tokens are not very useful with the current plugin in any case. Why not just say that ttl is ok and num_uses is not ok with the current version of the plugin=