-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoke tokens created by the modules and lookups #287
base: main
Are you sure you want to change the base?
Revoke tokens created by the modules and lookups #287
Conversation
232a125
to
e54c8ac
Compare
Codecov Report
@@ Coverage Diff @@
## main #287 +/- ##
==========================================
- Coverage 98.66% 98.22% -0.45%
==========================================
Files 73 68 -5
Lines 3679 3382 -297
Branches 313 291 -22
==========================================
- Hits 3630 3322 -308
- Misses 40 51 +11
Partials 9 9
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Are there any instructions available on how to run the unittest? Invoking pytest yields
That makes it a bit hard to write the tests to fix the coverage… |
Hello again @horazont !
I thought I had something in the contributor guide but it looks like I left out unit tests 😕 I've added an issue for that so I don't lose track of it #288 But luckily running units are a lot easier than running integration. Although the units are written in pytest, we run them through
And that's basically it.
The coverage also includes integration tests, so that's part of why coverage is lacking. Will want to see some integration tests too. About the changeI would prefer you opening a discussion (or possibly issue) before a PR for large sweeping changes like this, so we can discuss the proposed change, and how it might be implemented, before putting in the work. That said, I think the overall idea is good, I will need some time to think over the implementation. Something I will probably want to see is a new option for controlling this behavior, and will probably default it to being off. I'm trying to think if there's a possibility that a token would not have the ability to revoke itself, but probably they all have that ability? If you have confirmation let me know. |
Thanks for all the guidance.
I understand that generally. In this case, before filing an issue, I wanted to evaluate the feasibility first on my own and ended up writing all strictly necessary code, so I thought I might as well put it up for discussion right away. I don't mind if we are going to discard all of this. If you prefer, we can move the discussion into an issue.
Hmmmm... I'm not so happy with the default being "off", but I won't die on that particular hill. If it can be controlled via an environment variable so we can easily default it to "on" for all of our things, that's good enough for me.
Fair enough (unfortunately, it's not possible to limit the number of uses for a token during login, that would be really neat; then we could just limit it to 1 for vault_read/write or N for the lookups and be done with it, without explicit revocation).
If a token is issued without the Regarding running any tests,
|
Ok that's fine, the code is written and PR is up, so we can keep discussing here.
Absolutely, this is the kind of option I would like to be settable by environment variable, INI (
I suppose this could be done intentionally by the end user. For example by creating the right policies and additional roles or configurations on the login types to be used. Like creating an approle, or an AWS IAM auth role, specifically for use with Ansible that limits token uses. I guess to your point, the number of uses will vary by plugin/module, so that's not so easy or feasible.
Perfect, thank you for confirming; had a feeling the default policy would play a part there. Something we will need to point out in notes (and another reason for the behavior to be controllable).
I believe this happens due to issues with Something in the upstream containers used changed in
Alternatively, Thank you for your work on this @horazont ! |
Update: None of that works ( |
I have responded on IRC as well, but I should have mentioned to add
I believe that will install the necessary requirements in the venv. It may still be better to create your own venv with |
Now that I got the tests to work (by downgrading to ansible-core 2.11 as you suggested, the docker method then works), I pushed a commit with a proof-of-concept for:
I'd appreciate any feedback. In particular, I'm unsure about the placement of the integration tests. I put them into the auth method tests for now, because there I have access to already prepared credentials I can just readily use. In addition, I'm only testing the From that perspective, it seems to be sensible to put them there; if you think they should be in the plugin/lookup tests and/or I should find ways to integration-test the other modules too, let me know. Regarding unit testing, I'll add tests for the other modules in the meantime. Regarding the option: I hope this is the correct way of handling that. Ansible option processing is still a bit opaque to me. |
Docs Build 📝Thank you for contribution!✨ The docs for this PR have been published here: You can compare to the docs for the The docsite for this PR is also available for download as an artifact from this run: File changes:
Click to see the diff comparison.NOTE: only file modifications are shown here. New and deleted files are excluded. The diff output was truncated because it exceeded the maximum size. diff --git a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/hashi_vault_lookup.html b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/hashi_vault_lookup.html
index ea1706f..f285fa2 100644
--- a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/hashi_vault_lookup.html
+++ b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/hashi_vault_lookup.html
@@ -609,6 +609,32 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-revoke_ephemeral_token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-revoke-ephemeral-token"><strong>revoke_ephemeral_token</strong></p>
+<a class="ansibleOptionLink" href="#parameter-revoke_ephemeral_token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
+<p><span class="ansible-option-versionadded">added in community.hashi_vault 3.3.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>When <code class="docutils literal notranslate"><span class="pre">true</span></code>, tokens created implicitly by auth methods will be revoked when the operation they are used for is completed.</p>
+<p>For example, calling <a class="reference internal" href="vault_read_module.html#ansible-collections-community-hashi-vault-vault-read-module"><span class="std std-ref">community.hashi_vault.vault_read</span></a> with <code class="docutils literal notranslate"><span class="pre">userpass</span></code> auth will perform a <code class="docutils literal notranslate"><span class="pre">userpass</span></code> login to retrieve a token, perform a read with that token, then attempt to revoke the token so it can no longer be used.</p>
+<p>Revocation is considered best-effort. Errors on revocaton will not result in execution failure. A warning will be emitted on revocation failure but in some circumstances, like non-revocation failures, the warning may not be displayed.</p>
+<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
+<ul class="simple">
+<li><p><span class="ansible-option-default-bold">false</span> <span class="ansible-option-default">← (default)</span></p></li>
+<li><p><span class="ansible-option-choices-entry">true</span></p></li>
+</ul>
+<p class="ansible-option-line"><span class="ansible-option-configuration">Configuration:</span></p>
+<ul>
+<li><p>INI entry:</p>
+<div class="highlight-YAML+Jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">[</span><span class="nv">hashi_vault_collection</span><span class="p p-Indicator">]</span><span class="w"></span>
+<span class="l l-Scalar l-Scalar-Plain">revoke_ephemeral_token = false</span><span class="w"></span>
+</pre></div>
+</div>
+</li>
+<li><p>Environment variable: ANSIBLE_HASHI_VAULT_REVOKE_EPHEMERAL_TOKEN</p></li>
+<li><p>Variable: ansible_hashi_vault_revoke_ephemeral_token</p></li>
+</ul>
+</div></td>
+</tr>
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-role_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-role-id"><strong>role_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-role_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -633,14 +659,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-secret"><strong>secret</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span> / <span class="ansible-option-required">required</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Vault path to the secret being requested in the format <code class="docutils literal notranslate"><span class="pre">path[:field]</span></code>.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-secret-id"><strong>secret_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -656,7 +682,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 1.3.0</span></p>
@@ -677,7 +703,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-token"><strong>token</strong></p>
<a class="ansibleOptionLink" href="#parameter-token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -695,7 +721,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_file"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-token-file"><strong>token_file</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_file" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -719,7 +745,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_path"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-token-path"><strong>token_path</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -742,7 +768,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_validate"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-token-validate"><strong>token_validate</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_validate" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 0.2.0</span></p>
@@ -772,7 +798,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-url"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-url"><strong>url</strong></p>
<a class="ansibleOptionLink" href="#parameter-url" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -800,7 +826,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-username"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-username"><strong>username</strong></p>
<a class="ansibleOptionLink" href="#parameter-username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -816,7 +842,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-hashi-vault-lookup-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
diff --git a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv1_get_lookup.html b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv1_get_lookup.html
index 9482e88..2a6d0f7 100644
--- a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv1_get_lookup.html
+++ b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv1_get_lookup.html
@@ -623,6 +623,32 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-revoke_ephemeral_token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-revoke-ephemeral-token"><strong>revoke_ephemeral_token</strong></p>
+<a class="ansibleOptionLink" href="#parameter-revoke_ephemeral_token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
+<p><span class="ansible-option-versionadded">added in community.hashi_vault 3.3.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>When <code class="docutils literal notranslate"><span class="pre">true</span></code>, tokens created implicitly by auth methods will be revoked when the operation they are used for is completed.</p>
+<p>For example, calling <a class="reference internal" href="vault_read_module.html#ansible-collections-community-hashi-vault-vault-read-module"><span class="std std-ref">community.hashi_vault.vault_read</span></a> with <code class="docutils literal notranslate"><span class="pre">userpass</span></code> auth will perform a <code class="docutils literal notranslate"><span class="pre">userpass</span></code> login to retrieve a token, perform a read with that token, then attempt to revoke the token so it can no longer be used.</p>
+<p>Revocation is considered best-effort. Errors on revocaton will not result in execution failure. A warning will be emitted on revocation failure but in some circumstances, like non-revocation failures, the warning may not be displayed.</p>
+<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
+<ul class="simple">
+<li><p><span class="ansible-option-default-bold">false</span> <span class="ansible-option-default">← (default)</span></p></li>
+<li><p><span class="ansible-option-choices-entry">true</span></p></li>
+</ul>
+<p class="ansible-option-line"><span class="ansible-option-configuration">Configuration:</span></p>
+<ul>
+<li><p>INI entry:</p>
+<div class="highlight-YAML+Jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">[</span><span class="nv">hashi_vault_collection</span><span class="p p-Indicator">]</span><span class="w"></span>
+<span class="l l-Scalar l-Scalar-Plain">revoke_ephemeral_token = false</span><span class="w"></span>
+</pre></div>
+</div>
+</li>
+<li><p>Environment variable: ANSIBLE_HASHI_VAULT_REVOKE_EPHEMERAL_TOKEN</p></li>
+<li><p>Variable: ansible_hashi_vault_revoke_ephemeral_token</p></li>
+</ul>
+</div></td>
+</tr>
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-role_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-role-id"><strong>role_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-role_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -647,7 +673,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-secret-id"><strong>secret_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -663,7 +689,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 1.3.0</span></p>
@@ -684,7 +710,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-token"><strong>token</strong></p>
<a class="ansibleOptionLink" href="#parameter-token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -702,7 +728,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_file"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-token-file"><strong>token_file</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_file" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -726,7 +752,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_path"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-token-path"><strong>token_path</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -749,7 +775,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_validate"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-token-validate"><strong>token_validate</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_validate" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 0.2.0</span></p>
@@ -779,7 +805,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-url"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-url"><strong>url</strong></p>
<a class="ansibleOptionLink" href="#parameter-url" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -807,7 +833,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-username"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-username"><strong>username</strong></p>
<a class="ansibleOptionLink" href="#parameter-username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -823,7 +849,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-lookup-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
diff --git a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv1_get_module.html b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv1_get_module.html
index 330d8c3..806c0e1 100644
--- a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv1_get_module.html
+++ b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv1_get_module.html
@@ -394,6 +394,21 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-revoke_ephemeral_token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-revoke-ephemeral-token"><strong>revoke_ephemeral_token</strong></p>
+<a class="ansibleOptionLink" href="#parameter-revoke_ephemeral_token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
+<p><span class="ansible-option-versionadded">added in community.hashi_vault 3.3.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>When <code class="docutils literal notranslate"><span class="pre">true</span></code>, tokens created implicitly by auth methods will be revoked when the operation they are used for is completed.</p>
+<p>For example, calling <a class="reference internal" href="vault_read_module.html#ansible-collections-community-hashi-vault-vault-read-module"><span class="std std-ref">community.hashi_vault.vault_read</span></a> with <code class="docutils literal notranslate"><span class="pre">userpass</span></code> auth will perform a <code class="docutils literal notranslate"><span class="pre">userpass</span></code> login to retrieve a token, perform a read with that token, then attempt to revoke the token so it can no longer be used.</p>
+<p>Revocation is considered best-effort. Errors on revocaton will not result in execution failure. A warning will be emitted on revocation failure but in some circumstances, like non-revocation failures, the warning may not be displayed.</p>
+<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
+<ul class="simple">
+<li><p><span class="ansible-option-default-bold">false</span> <span class="ansible-option-default">← (default)</span></p></li>
+<li><p><span class="ansible-option-choices-entry">true</span></p></li>
+</ul>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-role_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-role-id"><strong>role_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-role_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -402,14 +417,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>For <code class="docutils literal notranslate"><span class="pre">azure</span></code> auth, <em>role_id</em> is required.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-secret-id"><strong>secret_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Secret ID to be used for Vault AppRole authentication.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 1.3.0</span></p>
@@ -418,7 +433,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>If not set, then the <code class="docutils literal notranslate"><span class="pre">hvac</span></code> library’s default is used.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-token"><strong>token</strong></p>
<a class="ansibleOptionLink" href="#parameter-token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -427,7 +442,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>The order of token loading (first found wins) is <code class="docutils literal notranslate"><span class="pre">token</span> <span class="pre">param</span> <span class="pre">-></span> <span class="pre">ansible</span> <span class="pre">var</span> <span class="pre">-></span> <span class="pre">ANSIBLE_HASHI_VAULT_TOKEN</span> <span class="pre">-></span> <span class="pre">VAULT_TOKEN</span> <span class="pre">-></span> <span class="pre">token</span> <span class="pre">file</span></code>.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_file"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-token-file"><strong>token_file</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_file" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -435,14 +450,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p class="ansible-option-line"><span class="ansible-option-default-bold">Default:</span> <span class="ansible-option-default">“.vault-token”</span></p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_path"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-token-path"><strong>token_path</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>If no token is specified, will try to read the <em>token_file</em> from this path.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_validate"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-token-validate"><strong>token_validate</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_validate" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 0.2.0</span></p>
@@ -458,7 +473,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-url"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-url"><strong>url</strong></p>
<a class="ansibleOptionLink" href="#parameter-url" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -467,14 +482,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>If <code class="docutils literal notranslate"><span class="pre">VAULT_ADDR</span></code> is also not defined then an error will be raised.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-username"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-username"><strong>username</strong></p>
<a class="ansibleOptionLink" href="#parameter-username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Authentication user name.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv1-get-module-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
diff --git a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv2_get_lookup.html b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv2_get_lookup.html
index fc38c03..210bb86 100644
--- a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv2_get_lookup.html
+++ b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv2_get_lookup.html
@@ -624,6 +624,32 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-revoke_ephemeral_token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-revoke-ephemeral-token"><strong>revoke_ephemeral_token</strong></p>
+<a class="ansibleOptionLink" href="#parameter-revoke_ephemeral_token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
+<p><span class="ansible-option-versionadded">added in community.hashi_vault 3.3.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>When <code class="docutils literal notranslate"><span class="pre">true</span></code>, tokens created implicitly by auth methods will be revoked when the operation they are used for is completed.</p>
+<p>For example, calling <a class="reference internal" href="vault_read_module.html#ansible-collections-community-hashi-vault-vault-read-module"><span class="std std-ref">community.hashi_vault.vault_read</span></a> with <code class="docutils literal notranslate"><span class="pre">userpass</span></code> auth will perform a <code class="docutils literal notranslate"><span class="pre">userpass</span></code> login to retrieve a token, perform a read with that token, then attempt to revoke the token so it can no longer be used.</p>
+<p>Revocation is considered best-effort. Errors on revocaton will not result in execution failure. A warning will be emitted on revocation failure but in some circumstances, like non-revocation failures, the warning may not be displayed.</p>
+<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
+<ul class="simple">
+<li><p><span class="ansible-option-default-bold">false</span> <span class="ansible-option-default">← (default)</span></p></li>
+<li><p><span class="ansible-option-choices-entry">true</span></p></li>
+</ul>
+<p class="ansible-option-line"><span class="ansible-option-configuration">Configuration:</span></p>
+<ul>
+<li><p>INI entry:</p>
+<div class="highlight-YAML+Jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">[</span><span class="nv">hashi_vault_collection</span><span class="p p-Indicator">]</span><span class="w"></span>
+<span class="l l-Scalar l-Scalar-Plain">revoke_ephemeral_token = false</span><span class="w"></span>
+</pre></div>
+</div>
+</li>
+<li><p>Environment variable: ANSIBLE_HASHI_VAULT_REVOKE_EPHEMERAL_TOKEN</p></li>
+<li><p>Variable: ansible_hashi_vault_revoke_ephemeral_token</p></li>
+</ul>
+</div></td>
+</tr>
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-role_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-role-id"><strong>role_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-role_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -648,7 +674,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-secret-id"><strong>secret_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -664,7 +690,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 1.3.0</span></p>
@@ -685,7 +711,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-token"><strong>token</strong></p>
<a class="ansibleOptionLink" href="#parameter-token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -703,7 +729,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_file"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-token-file"><strong>token_file</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_file" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -727,7 +753,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_path"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-token-path"><strong>token_path</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -750,7 +776,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_validate"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-token-validate"><strong>token_validate</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_validate" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 0.2.0</span></p>
@@ -780,7 +806,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-url"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-url"><strong>url</strong></p>
<a class="ansibleOptionLink" href="#parameter-url" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -808,7 +834,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-username"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-username"><strong>username</strong></p>
<a class="ansibleOptionLink" href="#parameter-username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -824,7 +850,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
@@ -844,7 +870,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-version"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-lookup-parameter-version"><strong>version</strong></p>
<a class="ansibleOptionLink" href="#parameter-version" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
</div></td>
diff --git a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv2_get_module.html b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv2_get_module.html
index e1e9d95..5d5ed4a 100644
--- a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_kv2_get_module.html
+++ b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_kv2_get_module.html
@@ -395,6 +395,21 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-revoke_ephemeral_token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-revoke-ephemeral-token"><strong>revoke_ephemeral_token</strong></p>
+<a class="ansibleOptionLink" href="#parameter-revoke_ephemeral_token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
+<p><span class="ansible-option-versionadded">added in community.hashi_vault 3.3.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>When <code class="docutils literal notranslate"><span class="pre">true</span></code>, tokens created implicitly by auth methods will be revoked when the operation they are used for is completed.</p>
+<p>For example, calling <a class="reference internal" href="vault_read_module.html#ansible-collections-community-hashi-vault-vault-read-module"><span class="std std-ref">community.hashi_vault.vault_read</span></a> with <code class="docutils literal notranslate"><span class="pre">userpass</span></code> auth will perform a <code class="docutils literal notranslate"><span class="pre">userpass</span></code> login to retrieve a token, perform a read with that token, then attempt to revoke the token so it can no longer be used.</p>
+<p>Revocation is considered best-effort. Errors on revocaton will not result in execution failure. A warning will be emitted on revocation failure but in some circumstances, like non-revocation failures, the warning may not be displayed.</p>
+<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
+<ul class="simple">
+<li><p><span class="ansible-option-default-bold">false</span> <span class="ansible-option-default">← (default)</span></p></li>
+<li><p><span class="ansible-option-choices-entry">true</span></p></li>
+</ul>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-role_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-role-id"><strong>role_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-role_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -403,14 +418,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>For <code class="docutils literal notranslate"><span class="pre">azure</span></code> auth, <em>role_id</em> is required.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-secret-id"><strong>secret_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Secret ID to be used for Vault AppRole authentication.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 1.3.0</span></p>
@@ -419,7 +434,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>If not set, then the <code class="docutils literal notranslate"><span class="pre">hvac</span></code> library’s default is used.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-token"><strong>token</strong></p>
<a class="ansibleOptionLink" href="#parameter-token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -428,7 +443,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>The order of token loading (first found wins) is <code class="docutils literal notranslate"><span class="pre">token</span> <span class="pre">param</span> <span class="pre">-></span> <span class="pre">ansible</span> <span class="pre">var</span> <span class="pre">-></span> <span class="pre">ANSIBLE_HASHI_VAULT_TOKEN</span> <span class="pre">-></span> <span class="pre">VAULT_TOKEN</span> <span class="pre">-></span> <span class="pre">token</span> <span class="pre">file</span></code>.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_file"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-token-file"><strong>token_file</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_file" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -436,14 +451,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p class="ansible-option-line"><span class="ansible-option-default-bold">Default:</span> <span class="ansible-option-default">“.vault-token”</span></p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_path"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-token-path"><strong>token_path</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>If no token is specified, will try to read the <em>token_file</em> from this path.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_validate"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-token-validate"><strong>token_validate</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_validate" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 0.2.0</span></p>
@@ -459,7 +474,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-url"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-url"><strong>url</strong></p>
<a class="ansibleOptionLink" href="#parameter-url" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -468,14 +483,14 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
<p>If <code class="docutils literal notranslate"><span class="pre">VAULT_ADDR</span></code> is also not defined then an error will be raised.</p>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-username"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-username"><strong>username</strong></p>
<a class="ansibleOptionLink" href="#parameter-username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Authentication user name.</p>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
@@ -489,7 +504,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-version"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-kv2-get-module-parameter-version"><strong>version</strong></p>
<a class="ansibleOptionLink" href="#parameter-version" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
</div></td>
diff --git a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_login_lookup.html b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_login_lookup.html
index 3f38059..cc33689 100644
--- a/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/base/collections/community/hashi_vault/vault_login_lookup.html
+++ b/home/runner/work/community.hashi_vault/community.hashi_vault/docsbuild/head/collections/community/hashi_vault/vault_login_lookup.html
@@ -611,6 +611,32 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-revoke_ephemeral_token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-revoke-ephemeral-token"><strong>revoke_ephemeral_token</strong></p>
+<a class="ansibleOptionLink" href="#parameter-revoke_ephemeral_token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
+<p><span class="ansible-option-versionadded">added in community.hashi_vault 3.3.0</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>When <code class="docutils literal notranslate"><span class="pre">true</span></code>, tokens created implicitly by auth methods will be revoked when the operation they are used for is completed.</p>
+<p>For example, calling <a class="reference internal" href="vault_read_module.html#ansible-collections-community-hashi-vault-vault-read-module"><span class="std std-ref">community.hashi_vault.vault_read</span></a> with <code class="docutils literal notranslate"><span class="pre">userpass</span></code> auth will perform a <code class="docutils literal notranslate"><span class="pre">userpass</span></code> login to retrieve a token, perform a read with that token, then attempt to revoke the token so it can no longer be used.</p>
+<p>Revocation is considered best-effort. Errors on revocaton will not result in execution failure. A warning will be emitted on revocation failure but in some circumstances, like non-revocation failures, the warning may not be displayed.</p>
+<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
+<ul class="simple">
+<li><p><span class="ansible-option-default-bold">false</span> <span class="ansible-option-default">← (default)</span></p></li>
+<li><p><span class="ansible-option-choices-entry">true</span></p></li>
+</ul>
+<p class="ansible-option-line"><span class="ansible-option-configuration">Configuration:</span></p>
+<ul>
+<li><p>INI entry:</p>
+<div class="highlight-YAML+Jinja notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">[</span><span class="nv">hashi_vault_collection</span><span class="p p-Indicator">]</span><span class="w"></span>
+<span class="l l-Scalar l-Scalar-Plain">revoke_ephemeral_token = false</span><span class="w"></span>
+</pre></div>
+</div>
+</li>
+<li><p>Environment variable: ANSIBLE_HASHI_VAULT_REVOKE_EPHEMERAL_TOKEN</p></li>
+<li><p>Variable: ansible_hashi_vault_revoke_ephemeral_token</p></li>
+</ul>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-role_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-role-id"><strong>role_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-role_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -635,7 +661,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-secret_id"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-secret-id"><strong>secret_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-secret_id" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -651,7 +677,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-timeout"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-timeout"><strong>timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.hashi_vault 1.3.0</span></p>
@@ -672,7 +698,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-token"><strong>token</strong></p>
<a class="ansibleOptionLink" href="#parameter-token" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -690,7 +716,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_file"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-token-file"><strong>token_file</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_file" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -714,7 +740,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_path"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-token-path"><strong>token_path</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
@@ -737,7 +763,7 @@ see <a class="reference internal" href="#ansible-collections-community-hashi-vau
</ul>
</div></td>
</tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token_validate"></div><p class="ansible-option-title" id="ansible-collections-community-hashi-vault-vault-login-lookup-parameter-token-validate"><strong>token_validate</strong></p>
<a class="ansibleOptionLink" href="#parameter-token_validate" title="Permalink to this |
(I'll clean up the lints when I'm done.) |
Thanks for your patience on this! I've spent some time looking it over today. I want to reiterate that I like the idea a lot, to have a way to proactively revoke the tokens. Something is nagging me about the extra try/finally blocks we have to add everywhere, I am wondering if we can find a way to make this a little easier and less prone to forgetting it in new plugins. I'm also thinking about whether the revocation/logout functionality should belong to the authenticator class or elsehwere. I've got a few ideas that I'm going to play with a little bit.
The testing will ultimately depend on how we implement the functionality in the end, so let's see how much testing we do in the auth methods. The way it's currently implemented, the auth method is only responsible for returning whether that method should have its ephemeral token revoked.
The way I test some of these internals in integration tests is with special plugins and modules written for the tests instead of using the collection, that's where
Right this is the tricky part. We really do need to test that all plugins and modules implement this functionality properly, because it's really easy to miss: everything "works" correctly if it's left out, and it's hard to see that the resulting token was not revoked. For this, I think it will fall largely on the unit tests to ensure that when they are called with the right options they call the right method(s), it's an indirect way to ensure that.
You might want to wait a bit before adding more in the unit tests, let's see what we can come up with in tweaking the implementation a little, and then it should be a little clearer how to address the testing.
It's close, there's a few small things that need to be changed (default needs to be set in the docstring, plugins use that as code), needs version_added, we'll fix that up later as needed. In the meantime, please rebase, I've fixed the issue that was causing |
989ff2f
to
23934d9
Compare
Hi @horazont , I apologize for further delays. I've had some things take up a lot of personal time recently. I'm trying to get caught up on pending work in the collection. I've just released version 3.2.0 which contains a fix for the sanity errors, and contains a new auth method, so I will ask you to rebase once again, and then I can go back to working through some of the ideas I was working on. Thank you for your patience 🙏 |
23934d9
to
1ed5aa9
Compare
No need to apologize, thanks for the reply. Did the rebase, worked without conflicts \o/. |
@horazont could you ensure you've checked the box on this PR to allow maintainers up push to your branch/repository? I've tried but I got permission denied. $ git push cloudandheat HEAD:feature/ephemeral-token-revocation
ERROR: Permission to cloudandheat/community.hashi_vault.git denied to briantist.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists. Please also rebase once more 🙏 |
Since I was not able to push to your branch, I pushed to a new one of my own (starting from yours, so it contains your changes too). Here is my branch, compared to yours, so showing the things I changed: Here is my branch, compared to the collection Here's a summary of what I've done:
I still consider this WIP; I have not touched the tests at all, so they are pretty broken now, but I wanted to stop here and see how you felt about this approach first. I may also consider some changes to omitted vs Please let me know what you think! |
Thanks, I couldn't find the button :/ I've read through the diffs and I must say this is looking pretty good to me. Clever use of the context manager and moving the default into the base class also helps readability a lot. To me, that looks great. How would you like to proceed? I'm going to be on vacation for 14d starting on September 1st, and I probably won't get around to work on this before. I can pick it up at the end of September though. |
I think it's usually a checkbox at the bottom of the right sidebar, below or near the Subscribe/Unsubscribe button?
Thank you!
I see, that's no problem at all. If I can push to the branch, I may continue some work on it if/when I have time, or at least keep it rebased and up-to-date with any other changes, but we can definitely pick it up in earnest when you get back. I hope you enjoy your time off :) |
Ah, I figured it out. The source repository is owned by my employers org, and apparently that cross-repo pushing only works for personal repositories (emphasis mine):
I suppose for the time of my vacation, it makes most sense that if you want to do anything, you do so in your branch and let me know here, then I'll force-pull from your branch once I pick this up after vacation? |
The lack of token revocation (when we use JWT) is resulting in complaints from the ops team that runs Vault, when we utilize this module. Is there any guess when this may be resolved? |
Hi @brettjacobson , thanks for showing your support for this new feature! The PR author is on vacation at the moment but we've made some really good progress on it. In the end it depends on the time we both have to put toward it, but I'd like to see it out within about a month if everything works out. In the meantime, there are two main possibilities for how to mitigate this in your environment:
Thanks again, feel free to subscribe to this PR to get updates. |
o/ Fear not, for I have returned! @briantist Did you do anything in the past weeks I need to pull in from somewhere or can I go ahead as soon as it fits me to work on this? |
Welcome back!
I did not, I've unfortunately had an avalanche of things taking up my time 😭 The stuff I put up in my branch last we talked is how I left it. It would be great if we could get it into a place where I can push up changes as well, that be best for collaborating I think. Otherwise, go ahead! You'll likely need a rebase (and another after #308 ). |
If the plugin logs into Vault in the process of executing a task beyond just logging in (i.e. not in e.g. the token_create lookup), the tokens should be revoked at the end of the action to prevent them from leaking. In order to support that, the authentication method needs to tell us whether it created a fresh token (which we should revoke) or whether it used a token provided by the caller (which we should not revoke).
1ed5aa9
to
6bba91e
Compare
Hi again! :-) I force-pulled from your branch, rebased, and then went and tried to fix all the unit tests. Do you think this is a valid approach at testing (see If so, I'd go ahead and add unit tests for the other modules and lookups, and then follow up with the integration tests. |
I accidentally the other unit tests, so I think this is now done except for linting and integration tests? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for adding the integration tests! I added one note about using the test plugins that can help with the no_log
, other than that I will need some time to go through this fully.
Integration tests are failing on orphan token stuff, and there was a PR for that while you were gone so I'm wondering if you didn't rebase against/merge from main
? The PR was #210 where that stuff was changed.
Also I will be targeting 100% diff coverage and it seems we're missing a little bit somewhere (I didn't look at the full coverage report yet, but it's also showing some strange stats, which might be another indication that the branch is out of date).
This is really coming together, thank you!
# the token auth method never has ephemeral tokens, so we expect all tokens | ||
# to continue to be usable even if `revoke_ephemeral_token` is set to true. | ||
- name: Read token information using plugin | ||
community.hashi_vault.vault_read: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is one of the reasons I generally avoid using the end-user facing plugins within the other integration tests, instead preferring the test plugins that are in tests/integration/targets/setup_vault_test_plugins
, see vault_ci_read
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what you mean. This is intentional; I want to test there that the token is not revoked, no matter what you say in revoke_ephemeral_token
, because it is not ephemeral.
Am I missing anything?
token_create and login are excluded because it's the whole point of them to create a token for later use.
That probably means that I messed up the merge. I'll get right to it. |
1db16ed
to
5bdbd9b
Compare
@horazont If getting it added to 3.x.x is not important for you, then don't worry about the deadline. |
@briantist Yeah, let's not worry about 4.0.0. I'm still looking into the integration tests and will look into getting the lint right after that. Unfortunately, my ansible-test dev environment broke again a week or two back and I haven't gotten around to fixing it :/ (but will do so, eventually). |
Does this mean we can expect this feature in a few weeks, in a 4.x? |
It means it will be in a 4.x.0 version (and not a 3.x.0 version), but timing still depends on availability for both of us. This is a busy time of year for a lot of people, myself included, but I look forward to getting it across the line. Were you able to look into any of the workarounds I mentioned previously? |
Can you link the workarounds? But I am pretty sure they don't work for us. Convincing 100s of internal customers to do workarounds isn't very viable for us. |
|
Thanks but nah, our main problem lately is rate limiting, because so many repeate requests keep getting sent to our Vault server. Hopefully this PR gets shipped soon! |
Are there any near term plans to finish this PR? Seems like there hasn't been any active development on it since end of September :( |
I certainly would like to have this feature as well. @horazont how are you feeling about picking this up again?
Some good news perhaps, is that a lot of improvements to |
Hey @horazont I wanted to check in once more and see if you're interested in working on this again. If not that's ok too, in that case I might take the current commits and put them on a new branch that I could commit to, to see if I could get it across the line, when I have some time. |
Hi @briantist As much as I hate leaving unfinished work, I don't see myself having enough time to finish this off. I'm also ok if you drop the changes, I don't want to force them onto your future maintenance budget. Thanks for checking in! |
@horazont no problem, thanks for following up! |
@briantist Do you foresee this work being resumed any time soon? |
@brettjacobson I know you've been interested in this feature for a long time, so I'm sure it's disappointing to hear. If you're at all interested in taking it up, I do try to prioritize other contributors' work, but I admit this change is bigger than most and going off the original branch will have a lot of conflicts to resolve, so I understand if you're reluctant to do so. |
@briantist We've finally been able to implement the workaround per the docs of using a single login command using the JWT, then the lookup, then setting fact, to reduce the number of Vault lookups. Its just really painful to explain to our 100s of dev teams why they need to do the workaround and understand whats going on it. We had mostly been looking forward to the internal caching that would have taken place so that the number of vault logins was reduced to 1 just using the simple lookup. |
@brettjacobson glad to hear you've been able to work around it, I definitely agree that a workaround is not ideal, and that this is better handled within the plugins and modules.
Just to clarify, the work here is to do automatic token revocation in the modules, but would not do any caching of the token or re-use it between plugin/module calls. |
SUMMARY
For the modules and lookups which are not meant specifically about creating tokens for later use (e.g.
vault_read
,vault_write
, ..), this change adds revocation of the tokens generated by non-Token and non-None authentication methods.There is no reason to keep those tokens valid. Valid tokens consume space in Vault and may be a security risk if leaked somewhere. As tokens generally expire and it would require extra work (e.g.
vault_read
against the lookup/self endpoint) to obtain the token generated by this plugin, I don't consider this as a security issue as-is.When implementing this, I went for a helper function on the Authenticator, to keep the code in the modules more short and concise. The authentication modules themselves provide the information about the revokability of the token to the Authenticator, so that we can distinguish the Token method (where the token has been supplied externally and should not be revoked) and the other methods cleanly.
ISSUE TYPE
COMPONENT NAME
Authentication
ADDITIONAL INFORMATION
Before this change, if you ran
vault_read
againstauth/token/lookup/self
and used the token in the result, it would still be valid.After this change, the token is revoked before
vault_read
returns, preventing accidental later use.The
token_create
andlogin
modules/lookups are not affected, as those are clearly intended to obtain a token for later use.