In Vault Operational Logs, the following entry appears:
[WARN] expiration: lease count exceeds warning lease threshold: have=xxxxxx threshold=256000
- The warning threshold by default is set to 250000. If the lease count exceeds the warning threshold, the warning will appear.
Note that this is a WARN rather than an ERROR. If the Vault environment does have more than 250000 leases this warning will appear, and this is normal for a heavily used Vault cluster. However, if the lease counts keeps increasing, it is advisable to take the actions below:
- Start monitoring the leases using telemetry and see how leases are being generated. The KB How-to Leverage Vault Telemetry to help identify unexpected lease generation is a good place to get started.
- The article How to obtain the total count of leases in Vault can assist to identify the count of leases and see where the leases are coming from.
- Setting lease count quotas for every auth method is always a good idea to protect Vault as any applications can be accidentally generating a lot of leases.
- There could be irrevocable leases in the Vault environment. Please follow this tutorial to check and cleanup the irrevocable leases.
- Note that the default token TTL (
default_lease_ttl) and the max TTL (
max_lease_ttl) is set to 32 days (768 hours). It is possible that the default values are being adjusted to a longer timeframe, or that 32 days timeframe is simply not needed in many situations. Consider lowering the TTLs as users can always re-authenticate to get a new token. Furthermore, a long unexpired token may pose security issues in the future.