yuria
Reputation: 553
Vault: How to tell response wrapped-token was already read
Im using Vault by HashiCorp to store my secrets, and as was advised in this blog: on target_application-startup I provide to a Response-Wrapped token via the ENV_PARAM to authenticate with vault.
Next, the target_application tries to get the permanentToken but fails due to 2 possible cases where I cant access Vault:
- The token the target_application got is already expired.
- The token was already read by somebody else so I cant read it now.
In both cases I get "permission denied" from vault.
How can I check that the 2nd case happened?
Upvotes: 1
Views: 619
Answers (1)
yuria
Reputation: 553
A solution that works for me:
when creating a response-wrapped token you get:
1.token creation time
2. token's time to live
Adding these two and passing the result to the target-application helps you (in case of getting denial of token) determine which of the 2 occurred.
Upvotes: 1
Related Questions
- Vault - How can I get list of secrets by API request
- Can't get vault kv-v2 secret using curl
- How to login HashiCorp Vault using curl command
- Authentication methods using the vault API package
- Hashicorp's Vault CLI does not store authentication token in token helper
- Securing a REST call to Vault Secrets management
- Hashicorp Vault - read failed: decryption failed: cipher: message authentication failed
- Vault wrapping token - number of usage
- vault token create after vault login -method ldap
- How to read token value having it's accessor