The Vault CLI contains a number of convenience features which enable the operator to make quick changes related to backends and tokens. This article explores the concept of quickly changing a problematic backend mount with the
vault revoke command and its associated
You are attempting disable an unnecessary authentication backend named
aws-ec2 when you encounter an error:
$ vault auth-disable aws-ec2 Error: Error making API request. URL: DELETE https://vault.example.com/v1/sys/auth/aws-ec2 Code: 400. Errors: * failed to revoke 'auth/aws-ec2/login/004c7a3e98ee3c9f3ef83651434a0891a81fb7bb' (1 / 1): failed to revoke token: failed to revoke entry: failed to revoke 'database/creds/mariadb-readonly/ 03167e19a1ef25c482728a3f3c21cf739d2b6a69' (1 / 1): failed to revoke entry: resp:(*logical.Response)(nil) err:error during revoke: could not find role with name mariadb-readonly
The issue at play here is a bit complex, but essentially boils down to:
While revoking the tokens associated with the
aws-ec2 backend, a token is encountered that is associated with a MariaDB backend token for a role named
mariadb-readonly that does not currently exist.
One tempting, but not recommended solution would be to simply create a new role named
mariadb-readonly for the associated backend, and then try to disable the
aws-ec2 backend again — but what if the MariaDB backend is also gone?
In this example, we described the
aws-ec2 backend as being unnecessary, so in addition to disabling it, we don’t mind if the tokens associated are all forcibly revoked as well. So how do we quickly and forcibly revoke all of the tokens associated with the backend named
Let’s learn about what
vault revoke --help has to say about it:
$ vault revoke --help Usage: vault revoke [options] id Revoke a secret by its lease ID. This command revokes a secret by its lease ID that was returned with it. Once the key is revoked, it is no longer valid. With the -prefix flag, the revoke is done by prefix: any secret prefixed with the given partial ID is revoked. Lease IDs are structured in such a way to make revocation of prefixes useful. With the -force flag, the lease is removed from Vault even if the revocation fails. This is meant for certain recovery scenarios and should not be used lightly. This option requires -prefix.
It appears that we can forcibly revoke all tokens associated with a prefix (the backend mount name) by using the
-prefix flags, like this:
$ vault revoke -prefix=true -force=true auth/aws-ec2/ Success! Revoked the secret with ID 'auth/aws-ec2', if it existed.
and the backend can now be successfully disabled:
$ vault auth-disable aws-ec2 Disabled auth provider at path 'aws-ec2' if it was enabled