'How to revoke all active tokens at once in Hashicorp Vault from a particular auth method?
I have been looking for a way to revoke all active tokens at once from a particular auth method in Hashicorp Vault. For example, there's two auth configured in my case 1. Kubernetes 2. OIDC. I want to revoke all the active OIDC tokens. Please let me know if you know how we can list or revoke all the tokens.
Thanks
Solution 1:[1]
The token auth backend API can do that for you.
With a token that has sudo privileges, you must:
- List all of the accessors
- Run through the list and keep the ones that have the path you want to revoke
- Revoke them using the accessor
You did not specify a language, so here is a bash implementation:
#!/bin/bash
# Pass the name of the mount point in parameter or
# through the $AUTH_MOUNT_POINT environment variable. Defaults to ldap
DEFAULT_MOUNT_NAME=${1-ldap}
: ${AUTH_MOUNT_POINT_NAME:=$DEFAULT_MOUNT_NAME}
for accessor in $(vault list --format json auth/token/accessors | jq -r .[])
do
path=$(vault write --field path auth/token/lookup-accessor accessor=${accessor})
if [[ "$path" =~ ^auth/$AUTH_MOUNT_POINT_NAME.* ]]
then
echo Revoking $path ...
vault write auth/token/revoke-accessor accessor=${accessor}
fi
done
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | ixe013 |