How to list and revoke Vault irrevocable leases by Vault lease id

Avatar
Owen Zhang
  • Updated

This article provides a concise guide for Vault administrators on how to list and revoke irrevocable leases using the Vault CLI. Irrevocable leases are those that Vault has failed to revoke after multiple attempts (typically six revoke attempt), often due to an inability to communicate with the associated backend service (like a database). 

 

  1. First, check the total number of irrevocable leases across all secret engines.
$ vault read sys/leases/count type=irrevocable
Key            Value
---            -----
counts         map[database_2c04ad57:5]
lease_count    1

 

2. List irrevocable leases. The output can help you understand which secret engines are disproportionately resulting in irrevocable leases and provide with related irrevocable lease-id. There are two more additional parameters that can be used for this endpoint.

  • include_child_namespaces (bool: false) - Specifies if leases in child namespaces should be included in the result
  • limit (string: "") - Specifies the maximum number of leases to return in a request. To return all results, set to none. If not set, this API will return a maximum of 10,000 leases. If not set to none and there exist more leases than limit, the response will include a warning.
     
$ vault read sys/leases type=irrevocable  limit=none
 
Key            Value
---            -----
lease_count    1
leases         [map[error:out of retries: failed to revoke entry: resp: (*logical.Response)(nil) err: 
failed to connect to `host=10.42.74.200 user=sa database=postgres`: dial error (dial tcp 10.42.74.200:5432: 
connect: no route to host) lease_id:database/creds/my-5m-role/4dnxlvO0uVKXKGnwAXtBpssL
mount_id:database_0f26189b]]

Note: The output provides the error (e.g., network failure) and the full lease_id of the irrevocable leases

 

3. Manual force revoke lease by lease_id. This lease revocation command doesn't revoke other valid leases or non-specified irrevocable leases. (We have a documentation gap here, which didn't include the force revoke by lease id option, we are working on an update.)

$ vault lease revoke -force -prefix database/creds/my-5m-role/4dnxlvO0uVKXKGnwAXtBpssL

Warning! Force-removing leases can cause Vault to become out of sync with
secret engines!
Success! Force revoked any leases with prefix: database/creds/my-5m-role/4dnxlvO0uVKXKGnwAXtBpssL

Note: the above option is more targeted towards revoking individual irrevocable leases. There are also another two options: 

  • Revoke Force API at the specified -prefix. This operation will revoke all leases at the specified prefix.
$ vault lease  revoke -force -prefix database/creds/my-5m-role
Success! Data written to: sys/leases/revoke-force/database/creds/my-5m-role
  • Use Vault configuration parameter remove_irrevocable_lease_after
    remove_irrevocable_lease_after (string: "") - Enables the automatic deletion of irrevocable leases. When the configured duration exceeds the expiry time of an irrevocable lease, Vault deletes the lease. The minimum value for remove_irrevocable_lease_after is 2 days (2d). If you set the removal window to a value less than the minimum, Vault overwrites the value to 2d. Deleting a lease may cause.

4. Check the irrevocable lease count again to confirm the targeted lease has been removed.

$ vault read sys/leases/count type=irrevocable
Key            Value
---            -----
counts         map[database_2c04ad57:5]
lease_count    0

 

 

Articles in this section

See more

Related articles