Vaultx.Auth.Token (Vaultx v0.7.0)

View Source

Token authentication method for HashiCorp Vault.

This module implements comprehensive token management for Vault, providing functionality for token creation, lookup, renewal, and revocation. Unlike other authentication methods that obtain tokens, this module manages existing tokens and provides token-based operations.

Features

  • Token Creation: Create new tokens with configurable policies and TTL
  • Token Lookup: Retrieve information about existing tokens
  • Token Renewal: Extend token lifetime within configured limits
  • Token Revocation: Safely revoke tokens and associated leases
  • Role Management: Support for token roles with predefined configurations
  • Accessor Operations: Manage tokens via their accessor IDs
  • Enterprise Ready: Supports all Vault enterprise features

API Compliance

Fully implements HashiCorp Vault Token authentication:

Usage Examples

Token Lookup (Self)

{:ok, token_info} = Vaultx.Auth.Token.lookup_self()

Token Lookup (Specific Token)

{:ok, token_info} = Vaultx.Auth.Token.lookup_token("hvs.CAESIJ...")

Token Creation

{:ok, auth_response} = Vaultx.Auth.Token.create_token(%{
  policies: ["default", "myapp"],
  ttl: "1h",
  renewable: true
})

Token Renewal

{:ok, auth_response} = Vaultx.Auth.Token.renew_token("hvs.CAESIJ...", %{
  increment: "30m"
})

Token Revocation

:ok = Vaultx.Auth.Token.revoke_token("hvs.CAESIJ...")

Vault Configuration

The token auth method is enabled by default in Vault:

# Token auth is always available at auth/token/
# No additional configuration required

# Create token roles (optional)
vault write auth/token/roles/myapp \
  allowed_policies="default,myapp" \
  orphan=true \
  renewable=true

Security Considerations

  • Use appropriate token TTL values to minimize exposure
  • Implement proper token rotation strategies
  • Monitor token usage and revoke unused tokens
  • Use token roles to enforce consistent policies
  • Regularly audit token permissions and usage
  • Consider using batch tokens for high-volume scenarios

Summary

Functions

create_token(params, opts \\ [])

Create a new token.

lookup_self(opts \\ [])

Look up information about the current client token.

lookup_token(token, opts \\ [])

Look up information about a specific token.

renew_token(token, opts \\ [])

Renew a token to extend its lifetime.

Functions

create_token(params, opts \\ [])

Create a new token.

Parameters

  • params - Token creation parameters:
    • :policies - List of policies for the token
    • :ttl - Token TTL (e.g., "1h", "30m")
    • :renewable - Whether the token can be renewed
    • :role_name - Token role to use for creation
    • :meta - Metadata to attach to the token
    • :no_parent - Create orphan token (requires root)
    • :no_default_policy - Exclude default policy
    • :display_name - Display name for the token
    • :num_uses - Maximum number of uses (0 = unlimited)
    • :period - Period for periodic tokens
  • opts - Options for the request

Returns

  • {:ok, auth_response} - Token created successfully
  • {:error, %Vaultx.Base.Error{}} - Request failed with detailed error

Examples

{:ok, auth_response} = Vaultx.Auth.Token.create_token(%{
  policies: ["default", "myapp"],
  ttl: "1h",
  renewable: true
})

lookup_self(opts \\ [])

Look up information about the current client token.

Parameters

  • opts - Options for the request:
    • :mount_path - Custom mount path (default: "token")
    • :timeout - Request timeout in milliseconds

Returns

  • {:ok, token_info} - Token information retrieved successfully
  • {:error, %Vaultx.Base.Error{}} - Request failed with detailed error

Examples

{:ok, token_info} = Vaultx.Auth.Token.lookup_self()
IO.inspect(token_info.policies)

lookup_token(token, opts \\ [])

Look up information about a specific token.

Parameters

  • token - Token to look up
  • opts - Options for the request:
    • :mount_path - Custom mount path (default: "token")
    • :timeout - Request timeout in milliseconds

Returns

  • {:ok, token_info} - Token information retrieved successfully
  • {:error, %Vaultx.Base.Error{}} - Request failed with detailed error

Examples

{:ok, token_info} = Vaultx.Auth.Token.lookup_token("hvs.CAESIJ...")
IO.inspect(token_info.policies)

renew_token(token, opts \\ [])

Renew a token to extend its lifetime.

Parameters

  • token - Token to renew (if nil, renews current token)
  • opts - Options for the request:
    • :increment - Requested increment duration (e.g., "30m")
    • :mount_path - Custom mount path (default: "token")

Returns

  • {:ok, auth_response} - Token renewed successfully
  • {:error, %Vaultx.Base.Error{}} - Request failed with detailed error

Examples

{:ok, auth_response} = Vaultx.Auth.Token.renew_token("hvs.CAESIJ...",
  increment: "30m"
)