Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
69 lines (51 sloc) 1.8 KB
author date categories tags thumbnail title aliases
Jacob Tomlinson
2017-06-14 00:00:00 +0000
How to create a seal only token for Hashicorp Vault


When using Hashicorp's Vault you may want to have an authentication token which only has permissions to seal the vault. This can then be used in an emergency situation to seal the vault, perhaps through a chatbot.

The policy

The seal only policy is fairly simple. Just create a .hcl policy file with the following contents:

path "/sys/seal" {
  policy = "sudo"

Create the policy

Create a new policy in vault using the policy file you just created.

vault policy-write seal-only /path/to/my/policy.hcl

Generate a token

You can now generate tokens which only have the seal permission. You must do this with a root key or a user with sudo permissions on auth/token/create.

vault token-create -orphan -policy="seal-only"

This will print out a new token with seal only permissions.

Key            	Value
---            	-----
token          	abcdefgh-1234-5678-abcd-zyxwvutrspqo
token_accessor 	abcdefgh-1234-5678-abcd-zyxwvutrspqo
token_duration 	168h0m0s
token_renewable	true
token_policies 	[default seal-only]


As you can see this token will expire after 7 days. If this token is being used by a bot or similar system you probably want to implement some scheduled process to renew the token's lease.

You can’t perform that action at this time.