Problem
On a Vault DR Secondary node the DR operation token cannot be revoked:
$ vault token revoke <dr_operation_token_decoded>
Cause
On a DR Secondary node only the following endpoints are enabled:
/v1/sys/leader | |
/v1/sys/seal-status |
|
/v1/sys/health | |
/v1/sys/metrics | |
/v1/sys/replication/status |
|
/v1/sys/replication/dr/status | |
/v1/sys/replication/dr/secondary/generate-public-key | |
/v1/sys/replication/dr/secondary/reindex | |
/v1/sys/replication/dr/secondary/recover | |
/v1/sys/replication/dr/secondary/promote | |
/v1/sys/replication/dr/secondary/disable | |
/v1/sys/replication/dr/secondary/update-primary | |
/v1/sys/replication/dr/secondary/operation-token/delete | |
/v1/sys/replication/dr/secondary/generate-operation-token/attempt | |
/v1/sys/replication/dr/secondary/generate-operation-token/update | |
/v1/sys/storage/raft/autopilot/configuration | |
/v1/sys/storage/raft/autopilot/state | |
/v1/sys/storage/raft/bootstrap | |
/v1/sys/storage/raft/bootstrap/challenge | |
/v1/sys/storage/raft/bootstrap/answer | |
/v1/sys/storage/raft/configuration | |
/v1/sys/storage/raft/remove-peer | |
/v1/sys/license | |
/v1/sys/license/signed |
|
/v1/sys/license/status | |
/v1/sys/config/reload/license |
Solutions:
To revoke the DR operation token from the DR Secondary node the `delete` endpoint should be used.
API - see the official documentation:
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/replication/dr/secondary/operation-token/delete
CLI:
$ vault write sys/replication/dr/secondary/operation-token/delete dr_operation_token=<token_decoded>