Introduction
When a user authenticates to Vault, a token is generated and returned back to the user. By default the token has the default system TTL of 32 days (768 hours), unless otherwise specified, and the token can be used to authenticate to Vault.
In the event that a user has been removed/disabled in the authentication backend but the existing tokens of previous logins of this user are still valid, it is needed to revoke these tokens so they can no longer be used to authenticate to Vault.
In general the data in audit.log
is HMAC'ed, so that it is not possible to retrieve the token or token accessor of an authenticated login directly from audit log.
This article describes the steps to retrieve and revoke the token from Vault using the display_name
field in the audit log.
Procedure
- Review the audit log and identify the
display_name
of the login
Example :
The example below shows the entries in the audit log of an OIDC authentication of an Auth0 account to Vault where theuser_id
on Auth0 isauth0|63e6586a2bc88f865b8de7e8
"auth": {
"client_token": "hmac-sha256:537a8826656feec0b0cef82405caca67c261a6dfeead8a00cad21a8d98b8b90c",
"accessor": "hmac-sha256:2767740863da58bba83d62d3e14f8b126f9d136d1af63cc9f748ba190476ae1d",
"display_name": "oidc-auth0|63e6586a2bc88f865b8de7e8", -
Retrieve the token accessors associated with the login:
oidc-auth0|63e6586a2bc88f865b8de7e8
In the example below there are two existing accessors associated with the accountauth0|63e6586a2bc88f865b8de7e8
. Each of these accessors are tied to a token that can be revoked.$ vault list -format json auth/token/accessors | jq -r .[] | xargs -I '{}' vault token lookup -format json -accessor '{}' | jq -r 'select(.data.display_name == "oidc-auth0|63e6586a2bc88f865b8de7e8")' | jq -r .data.accessor
XssWCIoT7Se6L8h1GpZ0UPhb
kT1M8ubJ9qyezmr3SxmVxhs6 -
Revoke each of the tokens by using the token accessor
$ vault token revoke -accessor XssWCIoT7Se6L8h1GpZ0UPhb
Success! Revoked token (if it existed)
$ vault token revoke -accessor kT1M8ubJ9qyezmr3SxmVxhs6
Success! Revoked token (if it existed)
Additional Information
- Vault Documentation: Tokens
- Vault Documentation: Token Revoke