I write a script for renewing Hashicorp Vault tokens. But I faced an issue. When the token renewed automatically by the script Vault retuns n/a instead of token value so I cannot save it anywhere, to kubernetes secret, for example.
Output looks like this:
--- -----
token n/a
token_accessor -------------
token_duration 10h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
My script:
import subprocess
import json
from kubernetes import client, config
def renew_vault_token(vault_pod, token_id):
try:
result = subprocess.run(
['kubectl', 'exec', '-ti', vault_pod, '-n', 'vault', '--', 'vault', 'token', 'renew', '-accessor', token_id],
capture_output=True, text=True, check=True
)
output = result.stdout
print("Vault renew output:", output) # Debugging output
token_line = next(line for line in output.splitlines() if line.startswith('token'))
new_token = token_line.split(None, 1)[1]
print(new_token)
return new_token
except subprocess.CalledProcessError as e:
print(f"Error renewing token: {e}")
return None
if __name__ == "__main__":
VAULT_POD = 'vault-0'
TOKEN_ID = '----------------'
new_token = renew_vault_token(VAULT_POD, TOKEN_ID)
Thanks for the comment above. I turned out that while vault token renew
command the token value does not change. So the script for the token renew process looks like:
import subprocess
import json
from kubernetes import client, config
def renew_vault_token(vault_pod, token_id):
try:
result = subprocess.run(
['kubectl', 'exec', '-ti', vault_pod, '-n', 'vault', '--', 'vault', 'token', 'renew', '-accessor', token_id],
capture_output=True, text=True, check=True
)
output = result.stdout
print("Vault renew output:", output)
return output
except subprocess.CalledProcessError as e:
print(f"Error renewing token: {e}")
return None
if __name__ == "__main__":
VAULT_POD = 'vault-0'
token_ids = [
'1ndTokenID',
'2ndTokenID',
'3rdTokenID'
]
for token_id in token_ids:
new_token = renew_vault_token(VAULT_POD, TOKEN_ID)