Hashicorp Vault : Manage Leases

In the last article I wrote about how to create dynamic secrets for AWS. By default the credentials that are generated are valid for 1 month. Too long right ? There is a way we can control the validity of the credentials and this is via leases.

With every dynamic secret and service type authentication token, vault creates a lease:metadata containing information such as a time duration, renew ability and more.

Once the lease is expired, Vault can automatically revoke the data and the consumer of secret can no longer be certain that it is valid.

Off course lease can be manually revoked as well.

Let's see how to configure a lease.Let me create a new secret of AWS type same as last article. Here the name of the new secret is aws-demo . Now under it's configuration , default lease value can be changed.

Max lease TTL is the maximum time up to which lease can be renewed.

Lease time period can be renewed as well. Below is the screenshot to do it via GUI.

Execute the below command to to it via CLI

vault lease renew -increment=3600  aws/creds/MyAdminRole/RsutodDiUBtc8MB1iymumLLV

To revoke a lease

vault lease revoke aws/creds/MyAdminRole/RsutodDiUBtc8MB1iymumLLV


191 views0 comments

Recent Posts

See All