How to Create and Revoke Vault Tokens Against a Policy

From PheonixSolutions
Jump to navigation Jump to search

Introduction

HashiCorp Vault is widely used for secure secret management. One of its key features is fine-grained access control via policies and tokens. Vault tokens are used to authenticate and access secrets stored in HashiCorp Vault. To keep access secure, it is best practice to tie tokens to specific policies and revoke them when no longer needed.

Prerequisites

  • A working Vault setup (development or production mode)
  • Vault CLI installed and accessible via your terminal
  • Root token or sufficient privileges to manage policies and tokens
  • An SSH user with sudo privileges

Implementation

I. Create a New Vault Token Against a Policy

vault token create -ttl=0 -policy=policyname -address=http://127.0.0.1:8200 -tls-skip-verify

Purpose Creates a new Vault token bound to a specific policy with the maximum allowed TTL. Useful when granting long-term access (up to Vault’s configured max_ttl) to an application or service.

Explanation

  1. vault token create – Creates a new token
  2. -ttl=0 – Sets TTL to 0, allowing Vault to assign its maximum allowed TTL (e.g., 768 hours, not infinite)
  3. -policy=policyname – Binds the token to a specific policy
  4. -address=http://127.0.0.1:8200 – Points CLI to the Vault server
  5. -tls-skip-verify – Skips TLS verification (not recommended for production)

II. Look Up a Token

vault token lookup <your-token>

Replace <your-token> with the actual token string.

Purpose Displays detailed information about a Vault token for auditing or debugging.

Explanation

  1. Creation time
  2. TTL value
  3. Associated policies
  4. Renewable status
  5. Metadata and usage limits

III. Revoke a Token

vault token revoke -address="http://127.0.0.1:8200" -tls-skip-verify <your-token>

Purpose Revokes (invalidates) a Vault token, making it unusable for any further API calls or secret access.

Explanation

  1. vault token revoke – Base command to revoke a token
  2. -address="http://127.0.0.1:8200" – Specifies Vault server address
  3. -tls-skip-verify – Skips TLS verification
  4. <your-token> – The full token string to revoke

Conclusion

Vault tokens provide secure and flexible access to secrets, but must be managed carefully. Mismanaged tokens can lead to over-permissioned access, security gaps, and compliance issues. Always follow best practices: assign minimal necessary policies, monitor usage, and revoke unused tokens promptly.

Retrieved from "https://wiki.pheonixsolutions.com/index.php?title=How_to_Create_and_Revoke_Vault_Tokens_Against_a_Policy&oldid=2569"