HashiCorp Certified: Vault Operations Professional 2022

Scale Vault for Performance

Demo Batch Tokens

In this guide, we’ll cover how to work with HashiCorp Vault Batch Tokens. You’ll learn how to inspect existing tokens, create and revoke service tokens, generate batch tokens (including orphaned ones), and understand their key characteristics. Finally, you’ll see how to authenticate using a batch token.

Inspecting Existing Tokens

First, verify your current root token accessor:

vault token lookup

Example output:

Key               Value
---               -----
accessor          HMqNT7nOPAsreghAyixLeRks
creation_time     1655409760
display_name      root
policies          [root]
type              service

List all token accessors in Vault:

vault list auth/token/accessors
Keys
----
HMqNT7nOPAsreghAyixLeRks

Since only the root token exists, that accessor is the one you see.

Creating and Revoking a Service Token

To create a standard service token with a specific policy:

vault token create -policy=cloud-policy

Sample response:

Key                Value
---                -----
token              hvs.CAESIJBJBIUD...
token_accessor     3hwz8fd5p5U108UGxbeDb3D
token_duration     768h
renewable          true
policies           ["cloud-policy" "default"]

Now list accessors again:

vault list auth/token/accessors
Keys
----
3hwz8fd5p5U108UGxbeDb3D
HMqNT7nOPAsreghAyixLeRks

Revoke the new service token by its accessor:

vault token revoke -accessor 3hwz8fd5p5U108UGxbeDb3D
Success! Revoked token (if it existed)

Any login attempt with the revoked token fails:

vault login hvs.CAESIJBJBIUD...
Error authenticating: permission denied

Note

Granting list and revoke permissions on auth/token/accessors lets users revoke any token by accessor. Assign this capability with care.

Creating a Batch Token

Batch tokens are designed for high-performance use cases. They are longer, non-renewable, and have no accessor.

vault token create \
  -policy=cloud-policy \
  -type=batch \
  -ttl=24h
Key                Value
---                -----
token              hvb.AAAAAQJIifEa...
token_accessor     n/a
token_duration     24h
renewable          false
policies           ["cloud-policy" "default"]
  • Prefix hvb. indicates a HashiCorp Vault Batch Token.
  • No accessor means it won’t appear in auth/token/accessors.

Inspecting the Batch Token

Retrieve its metadata:

vault token lookup hvb.AAAAAQJIifEa...
Key               Value
---               -----
accessor          n/a
creation_ttl      24h
expire_time       2022-06-22T08:49:50Z
orphan            false
policies          [cloud-policy default]
renewable         false
type              batch

Because orphan: false, this token has a parent and cannot be used across performance-replicated clusters.

Creating an Orphaned Batch Token

An orphaned batch token has no parent, making it usable across performance clusters:

vault token create \
  -policy=cloud-policy \
  -type=batch \
  -ttl=24h \
  -orphan=true

Verify the orphan status:

vault token lookup hvb.AAAAQL7ypVnQ...
Key               Value
---               -----
orphan            true
# [...]

Batch Token Characteristics

FeatureDescription
No AccessorWon’t appear in auth/token/accessors
Non-Renewablerenewable: false
Non-RevocableAttempts to revoke result in an error
vault token revoke hvb.AAAAQL7ypVnQ...
vault token renew hvb.AAAAQL7ypVnQ...
# Error renewing token: batch tokens cannot be renewed

Warning

Batch tokens cannot be renewed or revoked. Plan token lifecycles accordingly.

Using a Batch Token

Authenticate and export the token:

vault login hvb.AAAAQL7ypVnQ...
Success! You are now authenticated.
export VAULT_TOKEN=hvb.AAAAQL7ypVnQ...

If you lack permissions, listing secrets fails:

vault secrets list
# Error listing secrets engines: permission denied

Clean up by unsetting the token:

unset VAULT_TOKEN
vault secrets list
# Error listing secrets engines: permission denied

You’ve now learned how to create, inspect, and securely use Vault Batch Tokens. For more details, see the Vault Tokens documentation.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Using Batch Tokens