Skip to content

kes create tokens

Jump to bottom
Allan Roger Reid edited this page Jan 10, 2024 · 1 revision

1.- Setup kes and vault on separate servers using https://github.com/minio/kes/wiki/Hashicorp-Vault-Keystore

2.- From kes server box invoke,

./kes key create minio-key-1 -k && ./kes key create minio-key-2 -k && ./kes key create minio-key-3 -k;

then, list the keys created:

while true; do ./kes key ls -k; sleep 5; done;

3a.- Stop kes server then restart, or delete a kes pod

./kes server --config config-skew.yml
image

3b.- On vault server, list the vault accessors. Observe the number of accessors (tokens) increase.

export ROOT_TOKEN="hvs.uOjNhBdDKFsvsiiL95ppWldK"
curl \
     --header "X-Vault-Token: $ROOT_TOKEN" \
     --request LIST \
     https://allanroger.ddns.net:8200/v1/auth/token/accessors -k | jq  ".data.keys" | wc
image

4.- After a few minutes on the vault server, observe several messages such as the following. Observe the number of accessors (tokens) does not decrease.

2024-01-25T16:30:35.854Z [INFO]  expiration: revoked lease: lease_id=auth/approle/login/head92ba8b8ec3f1bfec243321af2ac056d8be7063b253998fa75913fdb908415
2024-01-25T16:30:35.996Z [INFO]  expiration: revoked lease: lease_id=auth/approle/login/ha50de878aab650da508312b3aef56cf0d315b43ee8d53200181ca28c6840266d
2024-01-25T16:31:09.706Z [INFO]  expiration: revoked lease: lease_id=auth/approle/login/h158c2f6a57aa100b6c0af9b58e4ac4d3a8a1d570b38577e4b83f9ad97e933e72
2024-01-25T16:32:15.889Z [INFO]  expiration: revoked lease: lease_id=auth/approle/login/h48d06f40155e34202fee371ce4dddc54cae04a017f444daaec45919512bcd572
2024-01-25T16:32:16.057Z [INFO]  expiration: revoked lease: lease_id=auth/approle/login/h4b49a5c52ad878218c31ce44d7bb8de091a575abb4e2aa6316dcaf120f6d4e3e
2024-01-25T16:32:49.745Z [INFO]  expiration: revoked lease: lease_id=auth/approle/login/h6aa9c3ff366a624f9988b5f64ffde50396ecb70008dcf9f64c554cbe3cafedab

5.- Attempt to reproduce with only vault, by first stopping the kes server, then

6.- Login to vault using the approle id and secret generated in (1):

curl \
    --request POST \
    --data '{"role_id":"b353f211-539f-e1b9-0ef5-3216fc20822b","secret_id":"2a7f9c8d-5ff5-9930-5cc2-d9e8e9e9681f"}' \
    https://allanroger.ddns.net:8200/v1/auth/approle/login -k | jq .

7.- List the keys created using the token generated above. Observe no messages with expiration: revoked lease until expected token expiry after 5 minutes.

export VAULT_TOKEN="hvs.CAESIJSU8Q4UUwdmFuZ1EuFFyNbRvHM4gHhTszc_qRFhk3x5Gh4KHGh2cy5WQXVTcXNMRjZTaG9Cc3NJRG03ZWpuQ3Q"
while true; do 
curl \
    -H "X-Vault-Token: $VAULT_TOKEN" \
    -X LIST \
    https://allanroger.ddns.net:8200/v1/kv -k;
sleep 5; done;
Clone this wiki locally