The Vault CLI contains a number of convenience features which enable the operator to make quick changes related to backends and tokens. This article explores the concept of quickly changing a problematic backend mount with the vault revoke command and its associated -prefix and -force flags.
The Scenario
You are attempting disable an unnecessary authentication backend named aws-ec2 when you encounter an error:
$ vault auth-disable aws-ec2
Error: Error making API request.
URL: DELETE https://vault.example.com/v1/sys/auth/aws-ec2
Code: 400. Errors:
* failed to revoke 'auth/aws-ec2/login/004c7a3e98ee3c9f3ef83651434a0891a81fb7bb' (1 / 1): failed to revoke token: failed to revoke entry: failed to revoke 'database/creds/mariadb-readonly/
03167e19a1ef25c482728a3f3c21cf739d2b6a69' (1 / 1): failed to revoke entry: resp:(*logical.Response)(nil) err:error during revoke: could not find role with name mariadb-readonlyThe issue at play here is a bit complex, but essentially boils down to:
While revoking the tokens associated with the aws-ec2 backend, a token is encountered that is associated with a MariaDB backend token for a role named mariadb-readonly that does not currently exist.
The Solution
One tempting, but not recommended solution would be to simply create a new role named mariadb-readonly for the associated backend, and then try to disable the aws-ec2 backend again — but what if the MariaDB backend is also gone?
In this example, we described the aws-ec2 backend as being unnecessary, so in addition to disabling it, we don’t mind if the tokens associated are all forcibly revoked as well. So how do we quickly and forcibly revoke all of the tokens associated with the backend named aws-ec2?
Let’s learn about what vault revoke --help has to say about it:
$ vault revoke --help
Usage: vault revoke [options] id
Revoke a secret by its lease ID.
This command revokes a secret by its lease ID that was returned with it. Once
the key is revoked, it is no longer valid.
With the -prefix flag, the revoke is done by prefix: any secret prefixed with
the given partial ID is revoked. Lease IDs are structured in such a way to
make revocation of prefixes useful.
With the -force flag, the lease is removed from Vault even if the revocation
fails. This is meant for certain recovery scenarios and should not be used
lightly. This option requires -prefix.It appears that we can forcibly revoke all tokens associated with a prefix (the backend mount name) by using the -force and -prefix flags, like this:
$ vault revoke -prefix=true -force=true auth/aws-ec2/
Success! Revoked the secret with ID 'auth/aws-ec2', if it existed.and the backend can now be successfully disabled:
$ vault auth-disable aws-ec2
Disabled auth provider at path 'aws-ec2' if it was enabled