Home
Documentation Tutorials Try Cloud!

Token

You created your first secret, learned about secrets engines and explored dynamic secrets with the Vault server you started in development mode.

In this tutorial, you will explore authentication with Vault tokens and GitHub credentials.

Token authentication

Token authentication is automatically enabled. When you started the dev server, the output displayed a root token. The Vault CLI read the root token from the $VAULT_TOKEN environment variable. This root token can perform any operation within Vault because it is assigned the root policy. One capability is to create new tokens.

Create a new token.

$ vault token create

Example output:

Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

The token is created and the output describes this token a table of keys and values. The created token is displayed here as s.iyNUhq8Ov4hIAx6snw5mB2nL.

This token is a child of the root token, and by default, it inherits the policies from its parent.

Token is the core authentication method. You can use the generated token to login with Vault, by copy and pasting it when prompted.

Example:

$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.iyNUhq8Ov4hIAx6snw5mB2nL
token_accessor       maMfHsZfwLB6fi18Zenj3qh6
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Create another token.

$ vault token create

Key                  Value
---                  -----
token                s.TsKT5ubouZ7TF26Eg7wNIl3k
token_accessor       b1d0curWHYqmgCndk0G1cM6R
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

The token is created and displayed here as s.TsKT5ubouZ7TF26Eg7wNIl3k. Each token that Vault creates is unique.

When a token is no longer needed it can be revoked.

Revoke the first token you created.

Example:

$ vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nL

Success! Revoked token (if it existed)

The token has been revoked.

An attempt to login with the revoked token will result in an error.

$ vault login
Token (will be hidden):
Error authenticating: error looking up token: Error making API request.

URL: GET http://127.0.0.1:8200/v1/auth/token/lookup-self
Code: 403. Errors:

* permission denied

Revoking a token will also revoke all tokens that were created by the token.

PreviousIdentitiesNextGitHub authentication

Last updated