In the last article I wrote about how to create dynamic secrets for AWS. By default the credentials that are generated are valid for 1 month. Too long right ? There is a way we can control the validity of the credentials and this is via leases.
With every dynamic secret and service type authentication token, vault creates a lease:metadata containing information such as a time duration, renew ability and more.
Once the lease is expired, Vault can automatically revoke the data and the consumer of secret can no longer be certain that it is valid.
Off course lease can be manually revoked as well.
Let's see how to configure a lease.Let me create a new secret of AWS type same as last article. Here the name of the new secret is aws-demo . Now under it's configuration , default lease value can be changed.
Max lease TTL is the maximum time up to which lease can be renewed.
Lease time period can be renewed as well. Below is the screenshot to do it via GUI.
Execute the below command to to it via CLI
vault lease renew -increment=3600 aws/creds/MyAdminRole/RsutodDiUBtc8MB1iymumLLV
To revoke a lease
vault lease revoke aws/creds/MyAdminRole/RsutodDiUBtc8MB1iymumLLV