Bez obzira koju metodu autentikacije koristimo, prisutan je token. Za svaki token je vezana TTL (Token TTL – Time To Live) vrijednost koja određuje vrijeme trajanja tokena, ali inicijalne vrijednosti trajanja tokena su previsoke.
Kada kreiramo novi token, dodjeljuje mu se TTL vrijednost koja će biti određena prema slijedećem redoslijedu:
- U trenutku kreiranja tokena – možemo specificirati TTL vrijednost
- Endpoint Tune – default TTL određen za autentikacijsku metodu
- System Default – Konfigurirana sistemska default vrijednost Vault clustera (32 dana)
Pogledajmo originalne vrijednosti:
$ vault read sys/auth/token/tune
Key Value
--- -----
default_lease_ttl 768h
description token based credentials
force_no_cache false
max_lease_ttl 768h
token_type default-serviceKreirajmo novi token:
$ vault token create -policy=adminsNakon kreiranja tokena, vidimo da je TTL (Time To Live) zaista 768 sati ili 32 dana. Naravno da je ta vrijednost naprosto previsoka jer, ovisno o situaciji, token mora imati uglavnom kratak životni vijek.
$ vault token create -policy=admins
Key Value
--- -----
token hvs.CAESIN4453fnv6WxKaxnVZzkIi05Pr8EEq********
token_accessor cdSDa1ZQMLdcT8****
token_duration 768h
token_renewable true
token_policies ["admins" "default"]
identity_policies []
policies ["admins" "default"]Pogledajmo default vrijednosti na razini cijelog clustera:
$ vault read sys/auth/token/tuneObzirom da su default TTL vrijednosti 32 dana, promijenimo ih:
$ vault write sys/auth/token/tune default_lease_ttl=1h
$ vault write sys/auth/token/tune max_lease_ttl=24hPogledajmo sve autentikacijske methode:
$ vault auth list --detailed
Path Plugin Accessor Default TTL Max TTL Token Type Replication Seal Wrap External Entropy Access Options Description UUID Version Running Version Running SHA256 Deprecation Status
---- ------ -------- ----------- ------- ---------- ----------- --------- ----------------------- ------- ----------- ---- ------- --------------- -------------- ------------------
approle/ approle auth_approle_1117e04c system 90000 default-service replicated false false map[] n/a ec7253ae-cd76-a09d-413f-736e45518578 n/a v1.12.2+builtin.vault n/a supported
aws/ aws auth_aws_8fb56394 system system default-service replicated false false map[] n/a 76f01ef4-88fc-cc28-0822-d8b99aed5d1c n/a v1.12.2+builtin.vault n/a supported
gcp-a/ gcp auth_gcp_71d4a554 system system default-service replicated false false map[] Managed by Terraform => k8s Module b73b7dc6-be80-4331-47eb-0c7e5ec30b94 n/a v0.14.0+builtin n/a supported
gcp-dev/ gcp auth_gcp_001cb570 system system default-service replicated false false map[] Managed by Terraform => k8s Module 72b23e84-509d-9e30-aede-9ae8c159366b n/a v0.14.0+builtin n/a supported
gcp-qa/ gcp auth_gcp_7152718d system system default-service replicated false false map[] Managed by Terraform => k8s Module e5e74aed-9977-1789-7fdf-5165f7feb414 n/a v0.14.0+builtin n/a supported
gcp/ gcp auth_gcp_9db2814d system system default-service replicated false false map[] n/a d2b8394f-1b95-8475-7db4-48757e92c3ff n/a v0.14.0+builtin n/a supported
kubernetes/ kubernetes auth_kubernetes_7041dfb1 system system default-service replicated false false map[] n/a 6305a96e-8942-ebc9-1ce0-fac16aa7721d n/a v0.14.0+builtin n/a supported
oidc/ oidc auth_oidc_5c7b37e0 system system default-service replicated false false map[] Azure Authentication 16f0261e-a762-c0da-1120-9c75e142ca35 n/a v1.12.2+builtin.vault n/a supported
token/ token auth_token_f4e3928c 3600 86400 default-service replicated false false map[] token based credentials b928c31a-a28d-2892-45a8-35459cb9121b n/a v1.12.2+builtin.vault n/a n/a
userpass/ userpass auth_userpass_945b5973 system system default-service replicated false false map[] n/a 62e8f04b-b38e-6c59-79dd-a41199d267a4 n/a v1.12.2+builtin.vault n/a supportedMožemo primjetiti da je samo token metoda promijenila TTL dok ostale nisu. Promijenimo jos neke:
$ vault write sys/auth/userpass/tune default_lease_ttl=30m
Success! Data written to: sys/auth/userpass/tune$ vault write sys/auth/kubernetes/tune default_lease_ttl=60m
Success! Data written to: sys/auth/kubernetes/tuneNakon izvršenih naredbi, pogledajmo default vrijednosti:
$ vault read sys/auth/token/tune
Key Value
--- -----
default_lease_ttl 1h
description token based credentials
force_no_cache false
max_lease_ttl 24h
token_type default-service$ vault read sys/auth/userpass/tune
Key Value
--- -----
default_lease_ttl 30m
description n/a
force_no_cache false
max_lease_ttl 768h
token_type default-service$ vault read sys/auth/kubernetes/tune
Key Value
--- -----
default_lease_ttl 1h
description n/a
force_no_cache false
max_lease_ttl 768h
token_type default-serviceUkoliko želimo kreirati token i specificirati TTL:
$ vault token create -policy=admins -ttl=2h
Key Value
--- -----
token hvs.CAESIJ-gLT_Pb_F-q5__K0sUTSdocf4OT6rvdDCim1t0d1c-*****
token_accessor IgNt0eOQcNsdK******
token_duration 2h
token_renewable true
token_policies ["admins" "default"]
identity_policies []
policies ["admins" "default"]Preporuke:
Budite oprezni i prilagodite TTL za svaku autentikacijsku metodu posebno. Nije isto prijaviti se u Vault pomoću OIDC ili Userpass metode ili pokrenuti Terraform workspace koji treba vrlo kratak pristup u Vault da bi izvršio nešto. Velika pomoć je Grafana ili neki od Telemetry alata koji može pokazati pogrešno konfiguriranu autentikacijsku metodu, o čemu ćemo pisati više.
https://developer.hashicorp.com/vault/docs/commands/token/create