Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Subcommands
  • token capabilities
  • token create
  • token lookup
  • token renew
  • token revoke

Was this helpful?

  1. vHSM CLI
  2. Authentication and Authorization

vhsm token

Learn about managing authentication tokens in vHSM server.

The vhsm token command manages authentication tokens in vHSM. Users can create, lookup, renew, and revoke tokens.

Usage

vhsm token <subcommand> [options] [arguments]

Subcommands

Command
Description

Print the capabilities of a token for a given path.

Create a new authentication token.

Retrieve information about a token.

Extend the lease of a token.

Revoke a token and its children.

token capabilities

Fetches the capabilities of a token for a specified path.

Example

List capabilities for the current token on the secret/foo path:

vhsm token capabilities secret/foo

Output

read

List capabilities for a specific token on the database/creds/readonly path:

vhsm token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 database/creds/readonly

Output

deny

token create

Creates a new authentication token. This token will inherit policies from the currently authenticated token unless explicitly specified.

Examples

Create a token with specific policies:

vhsm token create -policy=my-policy -policy=other-policy

Create a periodic token:

vhsm token create -period=30m

Options

Option
Description

-policy

Attach a policy to the token. Multiple policies can be added.

-ttl

Set an initial TTL for the token.

-renewable

Allow token renewal (default: true).

-explicit-max-ttl

Set a hard maximum lifetime for the token.

token lookup

Retrieves information about a token. If no token is provided, the currently authenticated token is used.

Examples

Get information about the current token:

vhsm token lookup

Get information about a specific token:

vhsm token lookup 96ddf4bc-d217-f3ba-f9bd-017055595017

Get information via a token's accessor:

vhsm token lookup -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da

token renew

Extends the lease of a token. If no token is provided, the currently authenticated token is used.

Examples

Renew a specific token:

vhsm token renew 96ddf4bc-d217-f3ba-f9bd-017055595017

Renew the currently authenticated token:

vhsm token renew

Renew a token with a specific increment:

vhsm token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017

Options

Option

Description

-increment

Request a specific renewal increment.

token revoke

Revokes authentication tokens and their children.

Examples

Revoke a specific token and its children:

vhsm token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017

Revoke a token but leave its children:

vhsm token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017

Revoke a token using an accessor:

vhsm token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248da

Options

Option
Description

-accessor

Treat argument as an accessor instead of a token.

-mode

Specify revocation mode (orphan to leave children intact).

Previousvhsm authNextvhsm policy

Last updated 2 months ago

Was this helpful?

capabilities
create
lookup
renew
revoke