HashiCorp Certified: Vault Associate Certification
Assess Vault Tokens
Token Accessors
Learn how to use token accessors to manage Vault tokens—lookup, renew, and revoke—without exposing the token itself.
Every Vault token has an associated accessor that supports exactly four operations:
- Lookup token metadata (no token reveal)
- Check a token’s capabilities on a given path
- Renew a token’s TTL
- Revoke a token
Note
A token accessor cannot be used to authenticate to Vault or perform standard data operations.
Token Accessor Operations
Operation | Description | CLI Example |
---|---|---|
Lookup metadata | View creation time, TTL, policies (no token reveal) | vault token lookup -accessor <accessor> |
Check capabilities | Inspect capabilities on a specific path | vault token capabilities -accessor <accessor> secret/ |
Renew token | Extend a token’s TTL | vault token renew -accessor <accessor> |
Revoke token | Disable a token immediately | vault token revoke -accessor <accessor> |
1. Authenticate and View Your Token Accessor
Log in and note your token accessor:
vault login s.cbC7GJ6U6JaDuDSgkyVcKDv
Success! You are now authenticated.
Key Value
--- -----
token s.cbC7GJ6U6JaDuDSgkyVcKDv
token_accessor K6pHtVc9LbXQdUavg2J1Ixa2
token_duration ∞
token_renewable false
policies ["root"]
Create a service token with the training
policy and a 30-minute TTL:
vault token create -policy=training -ttl=30m
Key Value
--- -----
token s.5YmCHHV80mN3dJpzOwvVAYk8
token_accessor 2ogWa36gDH5ws08VbuxroByx
token_duration 30m
token_renewable true
policies ["default" "training"]
2. Lookup Token Metadata
Use the accessor to inspect metadata without revealing the secret:
vault token lookup -accessor 2ogWa36gDH5ws08VbuxroByx
Key Value
--- -----
accessor 2ogWa36gDH5ws08VbuxroByx
creation_time 1632576647
creation_ttl 30m
display_name token
expire_time 2021-09-25T10:00:47.0615482-04:00
policies [default training]
renewable true
ttl 29m18s
type service
3. Renewing a Token
Extend a token’s TTL using its accessor:
vault token renew -accessor 2ogWa36gDH5ws08VbuxroByx
Key Value
--- -----
token_accessor 2ogWa36gDH5ws08VbuxroByx
token_duration 30m
token_renewable true
policies ["default" "training"]
4. Revoking a Token
Revoke the token securely by referencing its accessor:
vault token revoke -accessor 2ogWa36gDH5ws08VbuxroByx
Success! Revoked token (if it existed)
Warning
Setting VAULT_TOKEN
to an accessor will not permit secret-read or write operations. Always use the actual token for data access.
Attempting a KV get with an accessor:
export VAULT_TOKEN=2ogWa36gDH5ws08VbuxroByx
vault kv get secret/apps/training
Error making API request.
Code: 403. Errors:
* permission denied
Why Token Accessors?
- Safely delegate token lookup, renewal, and revocation without sharing the secret.
- Minimize blast radius when handing off token management.
- Automate bookkeeping tasks in CI/CD pipelines without exposing credentials.
References
Watch Video
Watch video content