Closed Freakin closed 7 years ago
Hi @Freakin
This is actually a known issue. Unfortunately we haven't been able to think of a good way to solve this, since the token is needed to write (or in this case delete) the binding info from Vault.
thanks @sethvargo. If I renew my token before ttl expiration will that allow me to use it indefinitely and delete it if desired?
@Freakin if it's a periodic token, yes. You can read more about periodic token creation in the README.
@sethvargo
Slightly unrelated but I feel it is relevant in terms of maintaining data sanity. Should shutting down the broker, translate in cleaning up of the created mounts and token inside the vault server ? I was thinking if you could capturing the SIGINT
signal and doing a graceful clean up, it would help in maintaining some data sanity. I am not a GO programmer and I am getting to know vault, so please forgive me for any ignorance.
But coming back to the issue in these lines, can you explain how availability/restarts of the broker would impact with the bound services ? I faced an issue the other day. I had my dev set up inactive for like 4 days and I started them up the other day to see the tokens set on the env for my bindings to be expired. The broker kept trying to renew the same and was getting back a 400. Finally I had to manually remove the mounts in vault server, purge the services and then recreate them.
I'm not terribly familiar with Vault yet so please forgive if I'm missing something
I created vault service broker and it is working correctly. I'm using the sample policy in the readme doc for the broker token.
I created a service successfully and bound it to my app, and was able to write secrets to the generic space backend and read them from my app (python app using hvac).
It appears my token has expired and I can no longer auth with it.
When I attempt to unbind my service, I get the following
Here are logs from vault broker