From f993c6a905cb48001572ca16472a166a8f8c05eb Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Tue, 25 Apr 2023 02:20:34 +0200 Subject: [PATCH] feat(docs): Explain listing and deleting orphan tokens (#3) --- README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/README.md b/README.md index bc18ff0..73b4534 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,40 @@ Write down the generated `client_token`. Lastly don't forget to create some key value pairs underneath `kv/rbacgroup_remco` that the token can access. +#### Token lifecycle management + +Revoke an orphan token like so via Vault CLI client. See [Authenticate against Vault](#authenticate-against-vault) at the top for how to authenticate your Vault CLI client and then: +``` +vault token revoke -accessor . +``` + +Find all orphan tokens by their accessor like so. This requires `list` access to `auth/token/accessors`. Members of the `administrators` group outlined above have this. +``` +vault list -format json auth/token/accessors |\ + jq -r .[] |\ + xargs -I '{}' vault token lookup -format json -accessor '{}' |\ + jq -r 'select((.data.entity_id=="") and (.data.orphan==true) and (.data.path=="auth/token/create-orphan"))' +``` + +Output will for example look like: +``` +{ + "request_id": "170d8a93-7b61-9ec2-9df7-ad7a8ca0be88", + "lease_id": "", + "lease_duration": 0, + "renewable": false, + "data": { + "accessor": "66IzIsoOpXycYqF33JmfIb8G", + ... + "entity_id": "", + ... + }, + "warnings": null +} +``` + +Where the `accessor` ID (here `66IzIsoOpXycYqF33JmfIb8G`) is what you're going to want to use in your CLI command `vault token revoke`. + ## Clean-up If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.