Problem
This article addresses an intermittent 500 error some users have encountered. It reads: "* error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue". This despite having the correct replication configuration. Notably, no related errors appear in the Vault server logs.
Solution
This eventual consistency issue has been addressed and the solution back ported to supported versions of Vault. To resolve it:
-
Upgrade your Vault cluster to version 1.11.10, 1.12.6, 1.13.2 or 1.14.0, which contain the fix.
-
Confirm that the
allow_forwarding_via_tokenparameter is set to "new_token" in the replication stanza of each Vault node. Your Vault configuration file should include:
replication {
allow_forwarding_via_token = new_token
}
Outcome
Implementing these steps should effectively eliminate the occurrence of these intermittent 500 errors.