Acquisition complete HashiCorp officially joins the IBM family. Learn more
Vault
Vault Home

token renew

The token renew renews a token's lease, extending the amount of time it can be used. If a TOKEN is not provided, the locally authenticated token is used. Lease renewal will fail if the token is not renewable, the token has already been revoked, or if the token has already reached its maximum TTL.

Examples

Create a token first:

$ vault token create
Key                Value
---                -----
token              hvs.CAESIJk8P_ieg60yf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
token_accessor     ntL634hzE0CtQnyCIqkxSa82
token_duration     768h
token_renewable    true
token_policies     [default]

Renew a token using the token value and the /auth/token/renew endpoint:

$ vault token renew hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
Key                Value
---                -----
token              n/a
token_accessor     ntL634hzE0CtQnyCIqkxSa82
token_duration     768h
token_renewable    true
token_policies     [default]

Alternatively, renew a token using its accessor value. Renewing with the accessor vault is is useful when you do not have the actual token:

$ vault token renew -accessor ntL634hzE0CtQnyCIqkxSa82
Key                Value
---                -----
token              n/a
token_accessor     ntL634hzE0CtQnyCIqkxSa82
token_duration     768h
token_renewable    true
token_policies     [default]

Renew the currently authenticated token (this uses the /auth/token/renew-self endpoint and permission):

$ vault token renew

Renew a token requesting a specific increment value:

$ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU

Fail if the requested TTL increment cannot be fully fulfilled:

$ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU --fail-if-not-fulfilled || vault login

You can renew tokens using the token itself or the associated accessor. The token_accessor parameter lets you perform limited operations (like renewal) without requiring sensitive data so you can manage tokens without handling the secret token itself.

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -format (default: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command options

  • -increment (duration: "") - Request a specific increment for renewal. Vault will not honor this request for periodic tokens. If not supplied, Vault will use the default TTL. This is specified as a numeric string with suffix like "30s" or "5m". This is aliased as "-i".

  • -accessor (bool: false) - Treat the argument as an accessor instead of a token. When this option is selected, the output will NOT include the token.

  • --fail-if-not-fulfilled - Fail if the requested TTL increment cannot be fully fulfilled. Vault allows command chaining and token renewal request completion with capped duration even if renew request fails.

Edit this page on GitHub