Vault executing revocation statements before postgresql credentials expiry

[rusanki]

Describe the bug We have a database secret with default and max ttl of 72000h but vault is running revocation statements after 32 days.

To Reproduce

Not able to reproduce this anywhere else. We had default ttl and max ttl kept at default 768h but a few months back we updated it to 72000h to avoid expiring leases. Now we have faced this behaviour for 3rd time. We verified the database user as well which is having extended 72000h of expiry but can see a recovacation statement which alters the user property to NOLOGIN ran after 32 days period.

Expected behavior We would expect REVOCATION STATEMENTS to have never run because of extended lease expiry.

Environment:

• Vault Server Version (retrieve with vault status): 1.12.1
• Vault CLI Version (retrieve with vault version): 1.14.1
• Server Operating System/Architecture: Linux amd64

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values
ui = true
log_level = "Debug"

retry_join {
  leader_tls_servername = "vault-server-tls"
}

listener "tcp" {
  tls_disable = 0
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
  tls_key_file  = "/vault/userconfig/vault-server-tls/tls.key"
  tls_client_ca_file = "/vault/userconfig/vault-server-tls/ca.crt"

}
seal "awskms" {
  region     = "ap-south-1"
  kms_key_id = "<id>"
}
storage "postgresql" {
  ha_enabled = "true"
}

Additional context We now will remove the revocation statement to avoid the recurrence but wanted to highlight the behaviour and a possible bug.

[miagilepner]

Hi, I can't seem to reproduce this with the information given. TTLs take into account both the mount TTLs and the role TTLs. Did you update both to 72000h? Additionally, if you try to read the credentials, what value do you see for lease_duration?