secret/generic: TTL ignored when sent as integer

[stampycode]

Sets the TTL to 300 seconds:

curl --request PUT --data '{"2": "abcd", "ttl": "300"}' \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    ${VAULT_ADDR}/v1/secret/foo

Ignores the TTL value, with no error or warning:

curl --request PUT --data '{"2": "efgh", "ttl": 300}' \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    ${VAULT_ADDR}/v1/secret/foo

The behaviour of the TTL field also isn't explained in the api docs, which is another issue.

[jefferai]

It actually is explained in the docs. From the docs:

There is one piece of special data handling: if a ttl key is provided, it will be treated as normal data, but on read the backend will attempt to parse it as a duration (either as a string like 1h or an integer number of seconds like 3600). If successful, the backend will use this value in place of the normal lease_duration. However, the given value will also still be returned exactly as specified, so you are free to use that key in any way that you like if it fits your input data.

[jefferai]

(I didn't close this because not properly handling a non-string is indeed a bug and we'll fix it.)

[stampycode]

@jefferai I was actually referring to the API docs which says:

see above for details.

The normal docs don't provide JSON formatted/CURL examples.

[jefferai]

Ah. Whoever split the docs missed that "see above for details". I'll point that to the non-API section of the docs.

[stampycode]

Also, is there something special that I have to do to the server to enforce the TTL values? Because I set a secret entry in there to 10 seconds a few minutes ago, and it's still just as available as it was when I created it.... Have I misunderstood the purpose of the TTL?

[jefferai]

The generic backend does not remove values. It's meant for a writer of a piece of data to give a hint to a reader of a piece of data as to how often to refresh the data, to prevent readers from spin-looping and flooding Vault with requests (for instance, tools such as consul-template will honor this value).

[jefferai]

The paragraph above what I quoted before explains this:

The generic backend allows for writing keys with arbitrary values. When data is returned, the lease_duration field (in the API JSON) or refresh_interval field (on the CLI) gives a hint as to how often a reader should look for a new value. This comes from the value of the default_lease_ttl set on the mount, or the system value.