Stim vault login should recreate the token file

[thorix]

Let's say a policy gets added to a user. They will need to login to Vault again. They might try and run stim vault login. This will not work since it doesn't delete the vault-token file. Stim should act as the Vault cli does and recreate the token file

[lwahlmeier]

I actually like the current design of it not creating a new token, though I do agree it should state that it didnt create a new one and there should be a flag for force creation of one, say a "-f" flag.

[thorix]

It seems like it should follow whatever the vault cli tool does. This way it is more friendly for those that do use both tools. Maybe the flip could be to keep old token and not create a new one if some flag is set in the config or cli? Also if you ever need to run like stim aws login just run that command and not stim vault login. I am guessing the use case for this command is almost the force change token file case stated above.

[lwahlmeier]

Stim is not vault, and there is nothing between the two that would make them need to act the same. The behavior implemented should be based on what works best for the use case of stim not how another tool works.

I much prefer the pattern of only creating a new token if its needed or explicitly asked for. For the use case of a policy for a user changing while they have a token, I see that as a very specific case and one I don't see anyone getting into without knowing they are getting into it at which point just having a flag to force the re-login is more then enough.

I am not really sure what you mean with stim aws login, regardless of the change to stim vault login you would have to run it again to get a new vault token, possibly with a flag to force re-login it.

[thorix]

Users of stim do not need to use stim vault login. Users are not using stim to simply login to Vault. We do not have metrics, but from my observations, users are going to use commands like stim aws login or stim deploy. These commands will automatically login you into Vault without you having to use stim vault login at any time. That means if most users are going to use stim vault login it will mostly be for this use case. The goal here is to make stim easy for lots of people.

As a compromise, I propose stim vault login should prompt the user if they want to create a new token. This prompt can be disabled in the config for our use case. This prompt would only show if they already have a token that has not expired yet. I feel this is a great feature that saves the user from entering the password for no reason. Users do not know or care about some Vault token file or should have to think about one more special flag needed to get this tool working when struggling with policy access setup.

Also, I don't feel it is a problem in creating "lots" of new tokens for Vault. On the other hand, I do think stim aws login should try to reuse or remove old federated temporary users. But, that is a different problem that I am just using for contrast.