Problem
In Vault Operational Logs, the following entry appears:
[WARN] expiration: lease count exceeds warning lease threshold: have=xxxxxx threshold=256000
Prerequisites
- Vault
Cause
- The warning threshold by default is set to 250000. If the lease count exceeds the warning threshold, the warning will appear.
Solutions:
Note that this is a WARN rather than an ERROR. If the Vault environment does have more than 250000 leases this warning will appear, and this is normal for a heavily used Vault cluster. However, if the lease counts keeps increasing, it is advisable to take the actions below:
- Start monitoring the leases using telemetry and see how leases are being generated. The KB How-to Leverage Vault Telemetry to help identify unexpected lease generation is a good place to get started.
- The article How to obtain the total count of leases in Vault can assist to identify the count of leases and see where the leases are coming from.
- Setting lease count quotas for every auth method is always a good idea to protect Vault as any applications can be accidentally generating a lot of leases.
- There could be irrevocable leases in the Vault environment. Please follow this tutorial to check and cleanup the irrevocable leases.
-
Note that the default token TTL (
default_lease_ttl) and the max TTL (max_lease_ttl) is set to 32 days (768 hours). It is possible that the default values are being adjusted to a longer timeframe, or that 32 days timeframe is simply not needed in many situations. Consider lowering the TTLs as users can always re-authenticate to get a new token. Furthermore, a long unexpired token may pose security issues in the future.
Additional Information
-
https://hashicorp.zendesk.com/hc/en-us/articles/4415364506131
- https://hashicorp.zendesk.com/hc/en-us/articles/4404352486291
- https://learn.hashicorp.com/tutorials/vault/resource-quotas#set-lease-count-quotas
- https://learn.hashicorp.com/tutorials/vault/troubleshoot-irrevocable-leases?in=vault/monitoring#irrevocable-lease-behavior