Introduction
This article provides details about HCP Vault Dedicated's lease count quotas and how to address a common error associated with them.
Problem
Vault returns a 429 - Too Many Requests
response when users try to authenticate:
Error making API request. URL: PUT https://127.0.0.1:61555/v1/auth/userpass/login/foo Code: 429. Errors: * 1 error occurred: * request path "auth/userpass/login/foo": lease count quota exceeded
Cause
Vault returns a 429 - Too Many Requests
response if a new lease request violates the configured lease quota limit.
To guard against lease explosions, Vault rejects authentication requests if completing the request would violate the configured lease quota limit.
Solution
- Correct any client-side errors that may cause excessive lease creation.
- Determine if your resource needs have changed and complete the Protecting Vault with Resource Quotas tutorial to determine new, appropriate defaults.
- Use the
vault lease
CLI command or lease count quota endpoint to tune your lease count quota.
Example:
Using lease count quota endpoint to tune your lease count quota to 1000000.
Create or update a lease count quota
Sample payload
{ "path": "admin", "max_leases": 1000000, "inheritable": true }
curl \ --request POST \ --header "X-Vault-Namespace: admin" \ --header "X-Vault-Token: $VAULT_TOKEN" \ --data @payload.json \ $VAULT_ADDR/v1/sys/quotas/lease-count/global-lease-count-quota
Get a lease count quota
curl \ --request GET \ --header "X-Vault-Namespace: admin" \ --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/sys/quotas/lease-count/global-lease-count-quota
List lease count quotas
curl \ --request LIST \ --header "X-Vault-Namespace: admin" \ --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/sys/quotas/lease-count
Delete a lease count quota
curl \ --request DELETE \ --header "X-Vault-Namespace: admin" \ --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/sys/quotas/lease-count/global-lease-count-quota
Default lease count quota
Default global quota has a max_leases value of 300000. This value is an intentionally low limit, intended to prevent runaway leases in the event that no other lease count quota is specified.
Additional Questions
For additional questions or support, please open a Support ticket.