How to Identify the Namespace Associated with a Lease in Vault

Avatar
Zaid Baban
  • Updated

When working with Vault, it may be necessary to obtain details about a specific lease, such as notifying the namespace owner of credential revocation failures due to issues like token expiry or an inaccessible target database. One way to do this is by reviewing the operational logs generated by Vault, which can provide useful details about namespace-related events.

 

We will demonstrate an example of how to obtain the namespace of a lease that has been revoked.

 

1. List namespaces:

CLI:
$ VAULT_TOKEN=<TOKEN> \
  vault list -format=json -detailed \
  sys/namespaces | jq -r '.data.key_info[] | {id, path}'

API:
$ curl \
    --header "X-Vault-Token: <TOKEN>" \
    --request LIST --silent \
    http://127.0.0.1:8200/v1/sys/namespaces | jq -r '.data.key_info[] | {id, path}'

Response:
{
  "id": "14hbL",
  "path": "test/"
}
{
  "id": "bDGCm",
  "path": "test2/"
}

We have 2 namespaces testwith the ID 14hbL and test2 with the ID bDGCm.

 

2. Create a short-lived token to review the expiration details in the Vault operational logs:

$ vault token create -ttl=5s -use-limit=1 -policy=default -namespace=test

 

3. Look for the revoked lease message from the operational logs

2023-04-14T11:54:17.878-0500 [INFO]  expiration: revoked lease: lease_id=auth/token/create/hd8ef77b60d25e0e21415294b0dbc7c5c0843ac6b80ff3f8cdfaef3404e0f01e9.14hbL

Take note of the namespace ID located at the end of the lease, after the dot .  , which is 14hbL. You can match it with the result from step 1.

 

4. If you have a vast number of namespaces and step 1 is not helpful, you can execute the following command by searching for the corresponding path to the namespace ID 14hbL.

CLI:
$ VAULT_TOKEN=<TOKEN> \
  vault list -format=json -detailed \
  sys/namespaces | jq -r '.data.key_info | to_entries[] | select(.value.id == "14hbL") | .value.path'

API:
$ curl \
    --header "X-Vault-Token: <TOKEN>" \
    --request LIST --silent \
    http://127.0.0.1:8200/v1/sys/namespaces | jq -r '.data.key_info | to_entries[] | select(.value.id == "14hbL") | .value.path'
test/

 

References:

https://developer.hashicorp.com/vault/api-docs/system/leases

https://developer.hashicorp.com/vault/docs/commands/token/create#examples

https://developer.hashicorp.com/vault/api-docs/system/namespaces#sample-request

 

Articles in this section

See more

Related articles