TJM
commented
1 year ago I wonder if there is a way to have it track that or run some sort of "onDelete" action? The "leases" (role tokens) were cleaned up, at least.
Closed TJM closed 1 year ago
TJM
commented
1 year ago I wonder if there is a way to have it track that or run some sort of "onDelete" action? The "leases" (role tokens) were cleaned up, at least.
EvertonSA
commented
1 year ago I think that already happen..
I have enabled the secret engine on my acceptance vault and now I want to disable:
/ $ vault secrets disable artifactory
Error disabling secrets engine at artifactory/: Error making API request.
URL: DELETE http://127.0.0.1:8200/v1/sys/mounts/artifactory
Code: 400. Errors:
* failed to revoke "artifactory/token/REDACT/...REDACT" (1 / 3): failed to revoke entry: resp: (*logical.Response)(nil) err: could not get the sytem version: HTTP response 401the token on the mount is already revoked, so 401 is desirable.
if the token was valid, it would revoke it as far as I understand from the above.
alexhung
commented
1 year ago I just start working on this. I'll check it out @EvertonSA and see if that's the case already.
alexhung
commented
1 year ago @EvertonSA I was not able to replicate your result. When I disable the secrets engine, I got the following:
% vault secrets disable artifactory
Success! Disabled the secrets engine (if it existed) at: artifactory/And the auth token in Artifactory still exists so I'm pretty sure it has not been revoked.
@TJM I have not able to find any way to intercept the unmount event. The closest I find is the clean function but that gets called on plugin exists. Not just on unmount.
Therefore, I am not seeing a way to automatically revoke the auth token on unmount at this point. I am closing this ticket but feel free to reopen if you learn something new.
When the artifactory secrets engine is unmounted (
vault secrets disable artifactory), it should probably cleanup it's admin token. Especially, if it has been rotated.