HashiCorp Certified: Vault Associate Certification
Assess Vault Tokens
Setting the Token Type
When you create a Vault token, you control its lifecycle and capabilities by specifying its type and duration. You can do this either directly via the CLI/API or by configuring an authentication method such as AppRole.
1. Creating Tokens via CLI
Use vault token create
flags to define token type, TTL, and renewal behavior.
Common Flags
Flag | Purpose | Example |
---|---|---|
-type | Specifies the token type (service or batch ) | -type="batch" |
-ttl | Sets a time-to-live (non-renewable) | -ttl="60s" |
-period | Creates a renewable (periodic) token | -period="24h" |
Note
By default, Vault issues a non-renewable service token when no -type
or -period
is provided.
Example: Periodic Token (24h)
vault token create \
-policy="training" \
-period="24h"
Output:
Key Value
--- -----
token s.2kjqZl2ofDr3efPdtMJ1z5dZ
token_accessor 73rjN1kmnzW7lpMw9H7p6P9
token_duration 24h
token_renewable true
token_policies ["default" "training"]
identity_policies []
policies ["default" "training"]
- The
-period="24h"
flag makes the token periodic and renewable. - Omit
-period
to create a one-time service token. - Use
-type="batch"
with-ttl
to generate a batch token.
2. Configuring Token Types in an Auth Method
You can predefine token types for roles within an auth method. This example uses AppRole Auth Method:
Enable AppRole
vault auth enable approle
Create Roles with Specific Token Settings
Batch Token Role (TTL = 60s)
vault write auth/approle/role/training \ policies="training" \ token_type="batch" \ token_ttl="60s"
Periodic Token Role (Period = 72h)
vault write auth/approle/role/jenkins \ policies="jenkins" \ period="72h"
Role | Token Type | Duration | Description |
---|---|---|---|
training | batch | 60s (TTL) | Short-lived, non-renewable batch token |
jenkins | service → periodic | 72h (renewable) | Renewable periodic service token |
Warning
Roles without an explicit token_type
default to service tokens. Ensure you set token_type
or period
for the desired behavior.
Summary
You have two methods to control Vault token types and lifecycles:
CLI/API Flags:
-type
for service or batch-ttl
for non-renewable duration-period
for renewable tokens
Auth Method Configuration:
- Set
token_type
,token_ttl
, andperiod
in role definitions
- Set
By using these techniques, you can ensure Vault issues tokens that match your security and operational requirements.
Links and References
Watch Video
Watch video content