Open david-streamlio opened 4 years ago
Reading the code I don;t think it is possible for autorenew tokens to work. https://github.com/BetterCloud/vault-java-driver/blob/master/src/main/java/com/bettercloud/vault/api/pki/Pki.java#L117 goes to https://github.com/BetterCloud/vault-java-driver/blob/master/src/main/java/com/bettercloud/vault/VaultConfig.java#L356-L357
I cannot see anything in PKI (for example) to get a new token if it has expired.
I think this is a limitation with the HCVault code, as ideally it should return a 401 unauthorized when a token has expired.
for example
String token = this.vault.auth()
.loginByAppRole("82f979a8-7222-947b-dd9a-376e03ed06ba", "e9c52fab-35a3-2783-6e86-4dcfd7addb412")
.getAuthClientToken();
returns
Vault responded with HTTP status code: 400
Response body: {"errors":["invalid secret id"]}
and an expired token returns
Vault responded with HTTP status code: 403 {"errors":["permission denied"]}
To renew an existing valid token you can do
final AuthResponse createResponse = this.vault.auth().renewSelf();
Thanks!
I am trying to create a token that can renewed using the following code, where the vault is configured to use the root token
TokenRequest tokenRequest = new TokenRequest().ttl("1m").renewable(true).explicitMaxTtl("8h"); auth = getVault().auth().createToken(tokenRequest);
I have a test case that validates that the token is valid, then sleeps long enough for the token to expire. I also validated that attempting to use it after 1 minute results in a 403 response code. Then I call the following method that ALSO fails with a 403 code
if (vaultAuth != null && vaultAuth.isAuthRenewable()) { vaultAuth = vault.auth().renewSelf(); } else { TokenRequest tokenRequest = new TokenRequest().ttl("1h").renewable(true); vaultAuth = vault.auth().createToken(tokenRequest); }
Can someone please point me to proper way of renewing a token inside of Vault with your API? Thanks.
P.S. Also, can someone explain the difference between the
isAuthRenewable()
andgetRenewable()
methods of theAuthResponse
object? FWIW, I noticed that the value returned bygetRenewable()
is alwaysfalse
regardless of value passed in with theTokenRequest
object.