2

When I create either a periodic token or a token with a TTL, these both look to have similar properties and would behave the same i.e. a token can be renewed for as long it has not expired and has no explicit max TTL.

Is there a nuance between the two types of tokens that I have not fully grasped? I am still new to Vault.

Periodic tokens have a TTL (validity period), but no max TTL; therefore, they may live for an infinite duration of time so long as they are renewed within their TTL.

bar@foo / % vault token create -policy=default -ttl=60m
                Key                  Value
                ---                  -----
                token                hvs.CAESIP-pCVGqYYh4Ddow-D1mPHycaT0g1M9G9hONC62DxUiMGh4KHGh2cy5jcmgyWmJqVjQ3N2Z1c1k2QW5DcHZhT1Y
                token_accessor       cFTNlIetjlaNZRqRzuS8KfjC
                token_duration       1h
                token_renewable      true
                token_policies       ["default"]
                identity_policies    []
                policies             ["default"]
bar@foo / % vault token create -policy=default -period=60m
                Key                  Value
                ---                  -----
                token                hvs.CAESIGat0D04a55ju96wNi1shn-uxFjZqvp2aeF3qO0_BckIGh4KHGh2cy44N2VPWHBEUHRlSHRLbnJHMkw2d3Y5Z0U
                token_accessor       wRXC2EhJKkBMJdJ4zmiw39r6
                token_duration       1h
                token_renewable      true
                token_policies       ["default"]
                identity_policies    []
                policies             ["default"]
bar@foo / % vault token lookup hvs.CAESIP-pCVGqYYh4Ddow-D1mPHycaT0g1M9G9hONC62DxUiMGh4KHGh2cy5jcmgyWmJqVjQ3N2Z1c1k2QW5DcHZhT1Y << TTL
                Key                 Value
                ---                 -----
                accessor            cFTNlIetjlaNZRqRzuS8KfjC
                creation_time       1680166595
                creation_ttl        1h
                display_name        token
                entity_id           n/a
                expire_time         2023-03-30T10:56:35.692221+01:00
                explicit_max_ttl    0s
                id                  hvs.CAESIP-pCVGqYYh4Ddow-D1mPHycaT0g1M9G9hONC62DxUiMGh4KHGh2cy5jcmgyWmJqVjQ3N2Z1c1k2QW5DcHZhT1Y
                issue_time          2023-03-30T09:56:35.692224+01:00
                meta                <nil>
                num_uses            0
                orphan              false
                path                auth/token/create
                policies            [default]
                renewable           true
                ttl                 59m45s
                type                service
bar@foo / % vault token lookup hvs.CAESIGat0D04a55ju96wNi1shn-uxFjZqvp2aeF3qO0_BckIGh4KHGh2cy44N2VPWHBEUHRlSHRLbnJHMkw2d3Y5Z0U << Periodic
                Key                 Value
                ---                 -----
                accessor            wRXC2EhJKkBMJdJ4zmiw39r6
                creation_time       1680166602
                creation_ttl        1h
                display_name        token
                entity_id           n/a
                expire_time         2023-03-30T10:56:42.424072+01:00
                explicit_max_ttl    0s
                id                  hvs.CAESIGat0D04a55ju96wNi1shn-uxFjZqvp2aeF3qO0_BckIGh4KHGh2cy44N2VPWHBEUHRlSHRLbnJHMkw2d3Y5Z0U
                issue_time          2023-03-30T09:56:42.424075+01:00
                meta                <nil>
                num_uses            0
                orphan              false
                path                auth/token/create
                period              1h
                policies            [default]
                renewable           true
                ttl                 59m43s
                type                service
bmd
  • 1,231
  • 3
  • 15
  • 23
  • I believe the only real difference is the capability to specify a different TTL up to the maximum on renewal, and for periodic the TTL cannot be modified. – Matthew Schuchard Mar 30 '23 at 12:24

0 Answers0