Monitoring token accessors

[unix196]

Is it possible monitoring vault token accessors? I'm planning monitoring important tokens in nagios, but I don't want show this tokens anywhere. Expiration date of the Vault tokens I can receive from their accessors. In the utility documentation I don't find any examples about this opportunity.

[madrisan]

Interesting question. I need to investigate on this. Do you have a link to the vault documentation?

[unix196]

https://www.vaultproject.io/docs/concepts/tokens/#token-accessors View accessors:

vault list auth/token/accessors
L9rZ36...
....

or use API - https://www.vaultproject.io/api-docs/auth/token/#list-accessors

Get info about specific accessor:

vault token lookup -accessor L9rZ36....
Key                  Value
---                  -----
accessor             L9rZ36
creation_time        1579777573
creation_ttl         87600h
display_name         token-policy-for-admins
entity_id            n/a
expire_time          2030-01-20T11:06:13.159312023Z
explicit_max_ttl     0s
id                   n/a
issue_time           2020-01-23T11:06:13.229902959Z
last_renewal         2020-02-07T08:43:08.159312283Z
last_renewal_time    1581064988
meta                 <nil>
num_uses             0
orphan               false
path                 auth/token/create
policies             [default policy_admins]
renewable            true
ttl                  87151h50m25s
type                 service

or use API - https://www.vaultproject.io/api-docs/auth/token/#lookup-a-token-accessor When lookup token - use path /auth/token/lookup, when lookup accessor - use path /auth/token/lookup-accessor - only there difference.

[madrisan]

As far as I can see in the documentation you still need the main token for querying vault and pass an additional accessor argument.

See also the code.

[unix196]

I create test policy (without update don't working):

policy_test:
path "auth/token/lookup-accessor" {
  capabilities = ["update", "sudo", "read", "list"]
}

Generate token with this policy:

vault token create -policy=policy_test -display-name=test_token
Key                  Value
---                  -----
token                s.lMsdbkgl40notlzcK7RB4MoK
token_accessor       AurxMPgO3EskQMgfSaagHE6V
token_duration       768h
token_renewable      true
token_policies       ["default" "policy_test"]

Send curl request (with Postman) and receive response with information about specific accessor:

Method - Post
URL - https://vault-server.com/v1/auth/token/lookup-accessor
Body - 
{
  "accessor": "FknaXw3JK87K7dqiYS58gEm9"
}
header X-Vault-Token - s.lMsdbkgl40notlzcK7RB4MoK

With this policy I can get information about accessors, but listing forbidden (https://vault-server.com/v1/auth/token/accessors (for security reason))

Therefore, just create token for nagios plugin with policy with this minimal rights .

As I see sample flags to run

$GOPATH/bin/hashicorp-vault-monitor token-lookup-accessor  -id "FknaXw3JK87K7dqiYS58gEm9"\
    -address=$VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
-warning=120h -critical=72h

where id - id accessor token - token with that policy:

path "auth/token/lookup-accessor" {
  capabilities = ["update", "sudo", "read", "list"]
}

[madrisan]

Ok... but I still do not get the point. You want to monitor the expiration date of a token throughout its associated token accessor, to avoid writing the main token in the monitoring configuration. That's what you had written in your first comment. But in your command-line example you need both the tokens. So, where's the security improvement?

[unix196]

$GOPATH/bin/hashicorp-vault-monitor token-lookup \
    -address=$VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
    -warning=120h -critical=72

in this example (from documentation) we monitor expiration date for token ""39d2c714-6dc...", but I don't want show this token in nagios configurations files (for example, if this mine admin token). In my example (hashicorp-vault-monitor token-lookup-accessor -id "FknaXw3JK87K7dqiYS58gEm9"\ -address=$VAULT_ADDR -token "39d2c714...) I use only one token with specific policy, which can get information about specific accessor. This token cannot do anything else. In vault security model, vault cannot list tokens which it created. Therefore, when I read some token-accessor, I can receive only some common information:

vault token lookup -accessor L9rZ36....
Key                  Value
---                  -----
accessor             L9rZ36
creation_time        1579777573
creation_ttl         87600h
display_name         token-policy-for-admins
entity_id            n/a
expire_time          2030-01-20T11:06:13.159312023Z
...

I cannot list/read tokens which have this token-accessor (nobody can, I think :) ). If I can remove token-accessor, yes, all tokens with this token-accessor would be deleted, but my policy

policy_test:
path "auth/token/lookup-accessor" {
  capabilities = ["update", "sudo", "read", "list"]
}

didn't have permission for this action.

in your command-line example you need both the tokens

https://www.vaultproject.io/docs/concepts/tokens/

Finally, the only way to "list tokens" is via the auth/token/accessors command, which actually gives a list of token accessors. While this is still a dangerous endpoint (since listing all of the accessors means that they can then be used to revoke all tokens), it also provides a way to audit and revoke the currently-active set of tokens.

For revoke token accessor, I must have suitable rights - https://www.vaultproject.io/api/auth/token/index.html#revoke-a-token-accessor

POST /auth/token/revoke-accessor

[madrisan]

Thanks fir the full explanation. I was able to setup a PoC and the coding is in progress. A new release implemented your suggestion will be ready in a short delay.

[unix196]

thanks! it's working!