Bez obzira koju metodu autentikacije koristimo, prisutan je token. Za svaki token je vezana TTL (Token TTL – Time To Live) vrijednost koja određuje vrijeme trajanja tokena, ali inicijalne vrijednosti trajanja tokena su previsoke.

Kada kreiramo novi token, dodjeljuje mu se TTL vrijednost koja će biti određena prema slijedećem redoslijedu:

  1. U trenutku kreiranja tokena – možemo specificirati TTL vrijednost
  2. Endpoint Tune – default TTL određen za autentikacijsku metodu
  3. System Default – Konfigurirana sistemska default vrijednost Vault clustera (32 dana)

Pogledajmo originalne vrijednosti:

$ vault read sys/auth/token/tune

Key                  Value
---                  -----
default_lease_ttl    768h
description          token based credentials
force_no_cache       false
max_lease_ttl        768h
token_type           default-service

Kreirajmo novi token:

$ vault token create -policy=admins

Nakon kreiranja tokena, vidimo da je TTL (Time To Live) zaista 768 sati ili 32 dana. Naravno da je ta vrijednost naprosto previsoka jer, ovisno o situaciji, token mora imati uglavnom kratak životni vijek.

$ vault token create -policy=admins

Key                  Value
---                  -----
token                hvs.CAESIN4453fnv6WxKaxnVZzkIi05Pr8EEq********
token_accessor       cdSDa1ZQMLdcT8****
token_duration       768h
token_renewable      true
token_policies       ["admins" "default"]
identity_policies    []
policies             ["admins" "default"]

Pogledajmo default vrijednosti na razini cijelog clustera:

$ vault read sys/auth/token/tune

Obzirom da su default TTL vrijednosti 32 dana, promijenimo ih:

$ vault write sys/auth/token/tune default_lease_ttl=1h
$ vault write sys/auth/token/tune max_lease_ttl=24h

Pogledajmo sve autentikacijske methode:

$ vault auth list --detailed

Path           Plugin        Accessor                    Default TTL    Max TTL    Token Type         Replication    Seal Wrap    External Entropy Access    Options    Description                           UUID                                    Version    Running Version          Running SHA256    Deprecation Status
----           ------        --------                    -----------    -------    ----------         -----------    ---------    -----------------------    -------    -----------                           ----                                    -------    ---------------          --------------    ------------------
approle/       approle       auth_approle_1117e04c       system         90000      default-service    replicated     false        false                      map[]      n/a                                   ec7253ae-cd76-a09d-413f-736e45518578    n/a        v1.12.2+builtin.vault    n/a               supported
aws/           aws           auth_aws_8fb56394           system         system     default-service    replicated     false        false                      map[]      n/a                                   76f01ef4-88fc-cc28-0822-d8b99aed5d1c    n/a        v1.12.2+builtin.vault    n/a               supported
gcp-a/         gcp           auth_gcp_71d4a554           system         system     default-service    replicated     false        false                      map[]      Managed by Terraform => k8s Module    b73b7dc6-be80-4331-47eb-0c7e5ec30b94    n/a        v0.14.0+builtin          n/a               supported
gcp-dev/       gcp           auth_gcp_001cb570           system         system     default-service    replicated     false        false                      map[]      Managed by Terraform => k8s Module    72b23e84-509d-9e30-aede-9ae8c159366b    n/a        v0.14.0+builtin          n/a               supported
gcp-qa/        gcp           auth_gcp_7152718d           system         system     default-service    replicated     false        false                      map[]      Managed by Terraform => k8s Module    e5e74aed-9977-1789-7fdf-5165f7feb414    n/a        v0.14.0+builtin          n/a               supported
gcp/           gcp           auth_gcp_9db2814d           system         system     default-service    replicated     false        false                      map[]      n/a                                   d2b8394f-1b95-8475-7db4-48757e92c3ff    n/a        v0.14.0+builtin          n/a               supported
kubernetes/    kubernetes    auth_kubernetes_7041dfb1    system         system     default-service    replicated     false        false                      map[]      n/a                                   6305a96e-8942-ebc9-1ce0-fac16aa7721d    n/a        v0.14.0+builtin          n/a               supported
oidc/          oidc          auth_oidc_5c7b37e0          system         system     default-service    replicated     false        false                      map[]      Azure Authentication                  16f0261e-a762-c0da-1120-9c75e142ca35    n/a        v1.12.2+builtin.vault    n/a               supported
token/         token         auth_token_f4e3928c         3600           86400      default-service    replicated     false        false                      map[]      token based credentials               b928c31a-a28d-2892-45a8-35459cb9121b    n/a        v1.12.2+builtin.vault    n/a               n/a
userpass/      userpass      auth_userpass_945b5973      system         system     default-service    replicated     false        false                      map[]      n/a                                   62e8f04b-b38e-6c59-79dd-a41199d267a4    n/a        v1.12.2+builtin.vault    n/a               supported

Možemo primjetiti da je samo token metoda promijenila TTL dok ostale nisu. Promijenimo jos neke:

$ vault write sys/auth/userpass/tune default_lease_ttl=30m

Success! Data written to: sys/auth/userpass/tune
$ vault write sys/auth/kubernetes/tune default_lease_ttl=60m

Success! Data written to: sys/auth/kubernetes/tune

Nakon izvršenih naredbi, pogledajmo default vrijednosti:

$ vault read sys/auth/token/tune

Key                  Value
---                  -----
default_lease_ttl    1h
description          token based credentials
force_no_cache       false
max_lease_ttl        24h
token_type           default-service
$ vault read sys/auth/userpass/tune

Key                  Value
---                  -----
default_lease_ttl    30m
description          n/a
force_no_cache       false
max_lease_ttl        768h
token_type           default-service
$ vault read sys/auth/kubernetes/tune

Key                  Value
---                  -----
default_lease_ttl    1h
description          n/a
force_no_cache       false
max_lease_ttl        768h
token_type           default-service

Ukoliko želimo kreirati token i specificirati TTL:

$ vault token create -policy=admins -ttl=2h

Key                  Value
---                  -----
token                hvs.CAESIJ-gLT_Pb_F-q5__K0sUTSdocf4OT6rvdDCim1t0d1c-*****
token_accessor       IgNt0eOQcNsdK******
token_duration       2h
token_renewable      true
token_policies       ["admins" "default"]
identity_policies    []
policies             ["admins" "default"]

Preporuke:

Budite oprezni i prilagodite TTL za svaku autentikacijsku metodu posebno. Nije isto prijaviti se u Vault pomoću OIDC ili Userpass metode ili pokrenuti Terraform workspace koji treba vrlo kratak pristup u Vault da bi izvršio nešto. Velika pomoć je Grafana ili neki od Telemetry alata koji može pokazati pogrešno konfiguriranu autentikacijsku metodu, o čemu ćemo pisati više.

https://developer.hashicorp.com/vault/docs/commands/token/create