Categories
DevOps

How to enumerate vault root tokens

Enumerate vault root tokens.

Use JSON output format to locate root tokens.

$ vault list -format json auth/token/accessors | \
  jq --raw-output ".[]" | \
  xargs -I{} vault token lookup -format json -accessor {} | \
  jq --raw-output 'select(.data.path=="auth/token/root") | .data.accessor'
NBIy4iydKZgrYDsoUwMIpwcL
Ie2zOw7FxgyNhx4KJopUpDTo

Display token details.

$ vault list -format json auth/token/accessors | \
  jq --raw-output ".[]" | \
  xargs -I{} vault token lookup -format json -accessor {} | \
  jq --raw-output 'select(.data.path=="auth/token/root") | .data'
{
  "accessor": "NBIy4iydKZgrYDsoUwMIpwcL",
  "creation_time": 1658688009,
  "creation_ttl": 0,
  "display_name": "root",
  "entity_id": "",
  "expire_time": null,
  "explicit_max_ttl": 0,
  "id": "",
  "meta": null,
  "num_uses": 0,
  "orphan": true,
  "path": "auth/token/root",
  "policies": [
    "root"
  ],
  "ttl": 0,
  "type": "service"
}
{
  "accessor": "Ie2zOw7FxgyNhx4KJopUpDTo",
  "creation_time": 1658015760,
  "creation_ttl": 0,
  "display_name": "root",
  "entity_id": "",
  "expire_time": null,
  "explicit_max_ttl": 0,
  "id": "",
  "meta": null,
  "num_uses": 0,
  "orphan": true,
  "path": "auth/token/root",
  "policies": [
    "root"
  ],
  "ttl": 0,
  "type": "service"
}

Notice, lookup sub-command does not display token for given accessor.