HCP Vault Dedicated Lease Count Quotas

Avatar
Aji Ayeni
  • Updated

Introduction

This article provides details about HCP Vault Dedicated's lease count quotas and how to address a common error associated with them.

Problem

Vault returns a 429 - Too Many Requests response when users try to authenticate:

Error making API request.

URL: PUT https://127.0.0.1:61555/v1/auth/userpass/login/foo
Code: 429. Errors:

* 1 error occurred:
    * request path "auth/userpass/login/foo": lease count quota exceeded

Cause

Vault returns a 429 - Too Many Requests response if a new lease request violates the configured lease quota limit.

To guard against lease explosions, Vault rejects authentication requests if completing the request would violate the configured lease quota limit.

Solution

  1. Correct any client-side errors that may cause excessive lease creation.
  2. Determine if your resource needs have changed and complete the Protecting Vault with Resource Quotas tutorial to determine new, appropriate defaults.
  3. Use the vault lease CLI command or lease count quota endpoint to tune your lease count quota.

Example:

Using lease count quota endpoint to tune your lease count quota to 1000000.

Create or update a lease count quota

Sample payload

{
  "path": "admin",
  "max_leases": 1000000,
  "inheritable": true
}
 
curl \
--request POST \
--header "X-Vault-Namespace: admin" \
--header "X-Vault-Token: $VAULT_TOKEN" \
--data @payload.json \
$VAULT_ADDR/v1/sys/quotas/lease-count/global-lease-count-quota
 

Get a lease count quota

curl \
--request GET \
--header "X-Vault-Namespace: admin" \
--header "X-Vault-Token:  $VAULT_TOKEN" \
$VAULT_ADDR/v1/sys/quotas/lease-count/global-lease-count-quota
 

List lease count quotas

curl \
--request LIST \
--header "X-Vault-Namespace: admin" \
--header "X-Vault-Token: $VAULT_TOKEN" \
$VAULT_ADDR/v1/sys/quotas/lease-count

Delete a lease count quota

curl \
--request DELETE \
--header "X-Vault-Namespace: admin" \
--header "X-Vault-Token: $VAULT_TOKEN" \
$VAULT_ADDR/v1/sys/quotas/lease-count/global-lease-count-quota

Default lease count quota

Default global quota has a max_leases value of 300000. This value is an intentionally low limit, intended to prevent runaway leases in the event that no other lease count quota is specified.

Additional Questions

For additional questions or support, please open a Support ticket.

Articles in this section

See more

Related articles