How to manage tokens in Hashicorp's Vault

Question

I am implementing Vault for my team to use and store secrets, and we wanted to keep it simple so we decided to go with the default token authentication.

The thing is I can't find a way to manage tokens that were created, so that if I want to revoke a certain person's token, I know exactly which one to revoke.

Does anyone know how to manage tokens in Vault?

Answer 1

You cannot list the tokens because tokens are sensitive information.

You can list token accessors (API docs)

which will give you a value like this 476ea048-ded5-4d07-eeea-938c6b4e43ec which is safe to share - think of it as a pointer to the token.

Then you can lookup the token accessor (API docs) and get a response like this

{
  "data": {
    "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
    "creation_time": 1523979354,
    "creation_ttl": 2764800,
    "display_name": "ldap2-tesla",
    "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
    "expire_time": "2018-05-19T11:35:54.466476215-04:00",
    "explicit_max_ttl": 0,
    "id": "",
    "identity_policies": ["dev-group-policy"],
    "issue_time": "2018-04-17T11:35:54.466476078-04:00",
    "meta": {
      "username": "tesla"
    },
    "num_uses": 0,
    "orphan": true,
    "path": "auth/ldap2/login/tesla",
    "policies": ["default", "testgroup2-policy"],
    "renewable": true,
    "ttl": 2763902
  }
}

which will probably help you figure out if the tokens requires revoking or not.