Token create command forces creating periodic token

[solmonk]

Environment:

• Vault Version: 0.9.3

Expected Behavior:

$ vault token create -policy=blahblah
Key            	Value
---            	-----
token          	<token>
token_accessor 	<accessor>
token_duration 	768h0m0s
token_renewable	true
token_policies 	[default blahblah]

Actual Behavior:

$ vault token create -policy=blahblah
Error creating token: Error making API request.

URL: POST https://vault.service.consul/v1/auth/token/create
Code: 400. Errors:

* root or sudo privileges required to create periodic token

I compared the raw request with the previous version(v0.9.1) of vault client.

Previous:

{"policies":["blahblah"],"display_name":"","num_uses":0,"renewable":true}

Current:

{"policies":["blahblah"],"ttl":"0s","explicit_max_ttl":"0s","period":"0s","display_name":"","num_uses":0,"renewable":true}

It seems like period field (along with some other fields) is always filled, which I think is the problem.

[calvn]

@solmonk Thanks for reporting this! I was able to reproduce the error and pinpoint the issue, which is due to the way that we parse args on the revamped CLI. In the meantime, you can correctly create tokens by hitting the API directly via cURL, Postman, etc. Concretely, this would be the command for cURL:

$ curl -H "X-Vault-Token: $VAULT_TOKEN" -d '{"policies":["blahblah"]}' -X POST $VAULT_ADDR/v1/auth/token/create

Edit: More precisely, it's due to the way that we establish default duration values in the CLI.

[andresvia]

@calvn As of Vault 0.11.4 #3874 is not fixed, can you re-open? ("period":"0s" is still the default)

My repro:

> vault -version
Vault v0.11.4 ('612120e76de651ef669c9af5e77b27a749b0dba3')
> nc -l 8081 &
[1] 23388
> VAULT_TOKEN=blahblahblah vault token create -address http://127.0.0.1:8081 -policy blahblah &
[2] 23389
> POST /v1/auth/token/create HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Go-http-client/1.1
Content-Length: 122
X-Vault-Token: blahblahblah
Accept-Encoding: gzip
Connection: close

{"policies":["blahblah"],"ttl":"0s","explicit_max_ttl":"0s","period":"0s","display_name":"","num_uses":0,"renewable":true}fg
nc -l 8081
Error creating token: Post http://127.0.0.1:8081/v1/auth/token/create: EOF
> 

Thanks.

[calvn]

@andresvia the JSON output you are getting from nc is the payload that the client sends out to the server, not the response that the Vault server would return. The default/empty value on the CLI side for period is 0. The server only creates a periodic token when a non-zero value is provided.

[andresvia]

@calvn so this means I'm using a recent client with an older server... I got it. Should I update the server instead, to have this issue solved, right? It's unfortunately not in my hands to update the server, I think this should have been fixed on both sides to prevent cases like this.