Managing Tokens for Your Vault Instance
About Managing Tokens
Vault service creates a token when you bind your application to the Vault service instance or create a service key. You use this token to access your Vault service instance. You can use Vault service REST APIs to manage these tokens. You can use the APIs to lookup the token details, renew the token, or revoke a token.
The default time to live (TTL) for a Vault service instance token is 32 days. You can generate tokens with specific TTL when you either bind your application to your Vault service instance or by creating a new service key.
You can use Vault service API to perform the following tasks:
- vault-service-managing-tokens.html#reference_e199a0e7-7019-40b4-b72a-9ecac8d35ac0__lookup_token_details
- vault-service-managing-tokens.html#reference_e199a0e7-7019-40b4-b72a-9ecac8d35ac0__renew_your_token
- vault-service-managing-tokens.html#reference_e199a0e7-7019-40b4-b72a-9ecac8d35ac0__revoke_your_token
In addition, you can also:
- Rotate the token for your Vault service instance to get a new token.
- Specify duration of the token for your Vault instance.
- Add a read-only policy to the token.
APIs: Managing Tokens
Lookup Token Details of your Vault Service Instance
API | /auth/token/lookup-self |
Description | Lookup details of the token for your Vault service instance. |
Method | GET |
URL | /auth/token/lookup-self For example, you can construct your URL to perform this operation as follows:
Note: You can get the path to Vault service from your VCAP_SERVICES environment variable. |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns |
|
Renew the Token of your Vault Service Instance
API | /auth/token/renew-self |
Description | Renews the lease associated with the calling token. This prevents the expiration and automatic revocation of the token. You can renew a token only if there is a lease associated with it. |
Method | POST |
URL | /auth/token/renew-self For example, you can construct your URL to perform this operation as follows:
Note: You can get the path to Vault service from your VCAP_SERVICES environment variable. |
Parameters |
|
Header | X-Vault-Token: <token> |
Returns |
|
Revoke the Token of your Vault Service Instance
API | /auth/token/revoke-self |
Description | Revokes the token that you use for your Vault service instance. When the token is revoked, all secrets generated with it are also revoked. |
Method | POST |
URL | /auth/token/revoke-self For example, you can construct your URL to perform this operation as follows:
Note: You can get the path to Vault service from your VCAP_SERVICES environment variable. |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
Rotating the Token for your Vault Service Instance
You can rotate the token for your Vault Service Instance to get a new value for your token.
Procedure
Specifying Duration of the Token for Your Vault Service Instance
The default time to live (TTL) for a Vault service instance token is 32 days. You can specify the duration of the tokens when you either bind your application to your Vault service instance or by creating a new service key.
About This Task
Procedure
Adding a Read-Only Policy to the Token
When you add a read-only policy to a token, a user can read the token details but cannot create, update or delete the token.