hashicorp-vaultvault

What is the difference between a HashiCorp Vault lease and token accessor?


In HashiCorp Vault, when you create a service token a lease is created and you get a token accessor. The lease ID is described as:

This is the ID used with commands such as vault lease renew and vault lease revoke to manage the lease of the secret.

The vault lease command doesn't work with service tokens, but service tokens also get leases, so the concept is present.

Token accessors are documented as having a limited set of actions, where the ability to renew and revoke a token is two of four such actions.

So from my perspective leases and accessors seem to have some overlapping functionality. What is the difference?


Solution

  • A Vault token lease id and a Vault token accessor indeed have two overlapping items of functionality:

    The token accessor additionally permits:

    Thus by the principle of least privilege you should utilize the lease id for token renewal and revocation, and only use the token accessor if you additionally require information about the token itself, and its capabilities as authorized by associated Vault policies.

    Side note: certain secrets which are dynamic and renewable (e.g. database) also possess a lease id with similar functionality to the authentication token.