Non-tunable token_type with Token Auth mounts – HashiCorp Help Center

Issue Overview

For most authentication mounts, you can tune the token_type parameter using the documented values.
However, token_type may not be adjusted in the case of native Token Authentication mounts available within each / all namespaces.

Outcome

Attempting to tune the token auth mount token_type results in an expected error with a message similar to `'token_type' cannot be set for 'token' or 'ns_token' auth mounts` - as per:

vault auth list

Path      Type     Accessor               Description
----      ----     --------               -----------
token/    token    auth_token_7cb8d512    token based credentials

vault read sys/auth/token/tune

Key                  Value
---                  -----
default_lease_ttl    768h
description          token based credentials
force_no_cache       false
max_lease_ttl        768h
token_type           default-service

vault auth tune -token-type=service token/

Error tuning auth method token/: Error making API request.

URL: POST http://0.0.0.0:8200/v1/sys/mounts/auth/token/tune
Code: 400. Errors:

* 'token_type' cannot be set for 'token' or 'ns_token' auth mounts

The same behavior will result in namespaces as well - for example:

export VAULT_NAMESPACE=ns1
vault auth list

Path        Type         Accessor                  Description
----        ----         --------                  -----------
token/      ns_token     auth_ns_token_10d4fcab    token based credentials
userpass/   userpass     auth_userpass_cbf74d45    n/a

# // if you didn't export VAULT_NAMESPACE you can also provide in-line -ns=… parameter:
# // `vault auth tune -ns=ns1 -token-type=service token/`
vault auth tune -token-type=service token/

Error tuning auth method token/: Error making API request.

Namespace: test/
URL: POST http://0.0.0.0:8200/v1/sys/mounts/auth/token/tune
Code: 400. Errors:

* 'token_type' cannot be set for 'token' or 'ns_token' auth mounts

To demonstrate it's tunability in the case of other Authentication mount types let's use a userpass method instead - eg:

vault read sys/auth/userpass/tune

Key                 Value
---                 -----
default_lease_ttl   768h
description         n/a
force_no_cache      false
max_lease_ttl       768h
token_type          default-service

vault auth tune -token-type=service userpass/

Success! Tuned the auth method at: userpass/

vault read sys/auth/userpass/tune

Key                  Value
---                  -----
default_lease_ttl    768h
description          n/a
force_no_cache       false
max_lease_ttl        768h
token_type           service

Additional Information

Issue Overview

Outcome

Attempting to tune the token auth mount token_type results in an expected error with a message similar to 'token_type' cannot be set for 'token' or 'ns_token' auth mounts - as per:

The same behavior will result in namespaces as well - for example:

To demonstrate it's tunability in the case of other Authentication mount types let's use a userpass method instead - eg:

Additional Information

Articles in this section

Related articles

Attempting to tune the token auth mount token_type results in an expected error with a message similar to `'token_type' cannot be set for 'token' or 'ns_token' auth mounts` - as per: