Token

You created your first secret, learned about secrets engines and explored dynamic secrets with the Vault server you started in development mode.

In this tutorial, you will explore authentication with Vault tokens and GitHub credentials.

Token authentication

Token authentication is automatically enabled. When you started the dev server, the output displayed a root token. The Vault CLI read the root token from the $VAULT_TOKEN environment variable. This root token can perform any operation within Vault because it is assigned the root policy. One capability is to create new tokens.

Create a new token.

$ vault token create

Example output:

Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

The token is created and the output describes this token a table of keys and values. The created token is displayed here as s.iyNUhq8Ov4hIAx6snw5mB2nL.

This token is a child of the root token, and by default, it inherits the policies from its parent.

Token is the core authentication method. You can use the generated token to login with Vault, by copy and pasting it when prompted.

Example:

Create another token.

The token is created and displayed here as s.TsKT5ubouZ7TF26Eg7wNIl3k. Each token that Vault creates is unique.

When a token is no longer needed it can be revoked.

Revoke the first token you created.

Example:

The token has been revoked.

An attempt to login with the revoked token will result in an error.

Revoking a token will also revoke all tokens that were created by the token.