Generate a new root token for Hashicorp Vault

Posted on by Bian Xi

Generate a new root token for Hashicorp Vault

To generate a new root token without old token.

Steps

  • run shell in vault docker
$ docker exec -it vault sh
  • Unseal if haven't
$ vault operator unseal
  • Get Nonce and OTP
$ vault operator generate-root -init
Nonce         15565c79-cc9e-5e64b986-8506e7bd1918
...
OTP           mOXx7iVimjE6LXQ2Zna6NA==
...
  • Provide unseal key to retrieve Encoded Token

Note: Beware of last -.

echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -

Note: run vault operator generate-root only, will show nonce key.

The last person will get Encoded Token

Encoded Token    IxJpyqxn3YafOGhqhvP6cQ==
  • Get root token
vault operator generate-root \  -decode=IxJpyqxn3YafOGhqhvP6cQ== \  -otp=mOXx7iVimjE6LXQ2Zna6NA==

Revoke token

Note: The root token can be used to revoke itself.

Revoke a token and all the token’s children:

$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)

Revoke a token leaving the token’s children:

$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)

Revoke a token by accessor:

$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248daSuccess! Revoked token (if it existed)

References

Generate Root Tokens Using Unseal Keys
token revoke

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


The reCAPTCHA verification period has expired. Please reload the page.