You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HashiCorp Vault (HCV) supports multiple types of tokens to authenticate. So far, we've only ever used the root token, which has an infinite TTL and cannot be renewed. Using the root token is not recommended for obvious reasons, and might not even be possible in managed situations.
All other tokens have a finite TTL, thus they must be renewed. Non-renewable tokens exist, but they are not relevant here.
There are several ways to renew a token through the REST API:
The most useful to us will likely be either the accessor or the "self" renewal.
Which Areas Would Be Affected?
HashiCorp Vault extension
Why Is the Feature Desired?
Security: should not use root token
Convenience: could be impractical or even impossible to use root token (managed environments)
Necessity: all tokens other than the root token have a finite lifespan
Solution Proposal
the edc.vault.hashicorp.token property contains the non-root token
a new edc.vault.hashicorp.token.ttl property is added containing the TTL in seconds, defaulting to 300 (5 min)
upon boot-up, the implementation checks if the token is renewable (via token lookup)
if the token is not renewable, a warning is logged
the token is immediately renewed, setting it to the configured TTL
a scheduled executor is created to run at TTL - 10 seconds (to account for transient network errors) that performs the renewal
Q&A
how will this behave in a clustered environment? most likely, it will just work, as the token itself will not change, only it's TTL. At worst, the token will get renewed much more often than necessary.
how does one create the "initial" token? This is out of scope of this issue
what happens if my runtime crashes? Most likely nothing, as the token string will still be the same. No reconfiguration is needed
Can I still use my root token? Yes, but you really shouldn't.
The text was updated successfully, but these errors were encountered:
Feature Request
HashiCorp Vault (HCV) supports multiple types of tokens to authenticate. So far, we've only ever used the root token, which has an infinite TTL and cannot be renewed. Using the root token is not recommended for obvious reasons, and might not even be possible in managed situations.
All other tokens have a finite TTL, thus they must be renewed. Non-renewable tokens exist, but they are not relevant here.
There are several ways to renew a token through the REST API:
The most useful to us will likely be either the accessor or the "self" renewal.
Which Areas Would Be Affected?
HashiCorp Vault extension
Why Is the Feature Desired?
Security: should not use root token
Convenience: could be impractical or even impossible to use root token (managed environments)
Necessity: all tokens other than the root token have a finite lifespan
Solution Proposal
edc.vault.hashicorp.token
property contains the non-root tokenedc.vault.hashicorp.token.ttl
property is added containing the TTL in seconds, defaulting to 300 (5 min)Q&A
The text was updated successfully, but these errors were encountered: