Tokens
service tokens (hvs.XXXXXXXXXXXX), are 95 chars long batch tokens (hvb.XXXXXXXXXX) recovery token (hvr)
Vault Interfaces
Section titled “Vault Interfaces”- Users or machines authenticate to vault via the authentication methods.
- After authentication vault generates a token with all the properties and policies.
- Once the authentication is done and token has been issued, all the interactions with the vault are done using the token
- User provides vault a token with all the other operation details
- Vault verifies the token for expiry, validity and permissions. After that vault performs the operations and provides data to user or machine
Tokens
Section titled “Tokens”- They are core method of authentication
- Most operations in vault requires tokens, not all though (authentication)
- Token authentication method is responsible for for creating and storing tokens
- Tokens can be used directly, or they can be used with other authentication methods like authenticating with an external identity like LDAP (dynamically generated tokens)
- Tokens have one or more policies attached to control what the tokens is allowed to perform
Types of Tokens
Section titled “Types of Tokens”Service Tokens
Section titled “Service Tokens”- The default type of token
- They are persisted to storage, heavy read write on storage
- Can be renewed, revoked, and create child tokens
Batch Tokens
Section titled “Batch Tokens”- These are encrypted binary large objects (BLOBS)
- Designed to be lightweight and scalable
- They are not persisted in storage , they are not fully featured (renew, revoke)
- Ideal for high volume operations like encryption
- Can be used for DR replication cluster promotion because these are replicated from a primary cluster to a secondary cluster where service tokens are not