How to generate new vault root token

Generate new vault root token.

Data from vault initialization process that will be useful.

$ vault operator init  

Unseal Key 1: SLpEi9hrk52mgxay66UnW0ZS2u1tpoQMT7Dj4sYVFoWq
Unseal Key 2: uC0VAgbWjLPYGf5mothT9bqLjSa5HW83F7VdWuFnLfAs
Unseal Key 3: jy7w3CanszT2b7SgfFAtcyq7IBOHqiOMstq+TtaZAz2G
Unseal Key 4: COo33dElKW8qLwbc/c+HbKkDe9UryCaWvd+PDcugUP+7
Unseal Key 5: sCJnTYQfYif5aUB9o49RAt6jpfVlMQSLivsDS+VFxJc4

Initial Root Token: hvs.BKpRwvIYboA6C9QrY5V7OnxA

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Initiate the root token generation process.

$ vault operator generate-root -init

A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         e136a526-460d-e652-80d9-7fbf84cdc314
Started       true
Progress      0/3
Complete      false
OTP           tWpIETuGewnSpTVyRFTseNTTgmja
OTP Length    28

Provide required unseal keys.

$ vault operator generate-root

Operation nonce: e136a526-460d-e652-80d9-7fbf84cdc314
Unseal Key (will be hidden): 
Nonce       e136a526-460d-e652-80d9-7fbf84cdc314
Started     true
Progress    1/3
Complete    false

$ vault operator generate-root

Operation nonce: e136a526-460d-e652-80d9-7fbf84cdc314
Unseal Key (will be hidden): 
Nonce       e136a526-460d-e652-80d9-7fbf84cdc314
Started     true
Progress    2/3
Complete    false

Check status in the meantime.

$ vault operator generate-root -status

Nonce       e136a526-460d-e652-80d9-7fbf84cdc314
Started     true
Progress    2/3
Complete    false
OTP Length  28

$ vault operator generate-root

Operation nonce: e136a526-460d-e652-80d9-7fbf84cdc314
Unseal Key (will be hidden): 
Nonce            e136a526-460d-e652-80d9-7fbf84cdc314
Started          true
Progress         3/3
Complete         true
Encoded Token    HCEDZyNmPSgvPwsdAhljSRQrFSYcPyExUVsEAA

Decode the new root token.

$ vault operator generate-root -decode HCEDZyNmPSgvPwsdAhljSRQrFSYcPyExUVsEAA \
                               -otp tWpIETuGewnSpTVyRFTseNTTgmja

hvs.f2HoJHeNrM50FmAUyque66na

Get root token details.

$ VAULT_TOKEN=hvs.f2HoJHeNrM50FmAUyque66na vault token lookup

Key                 Value
---                 -----
accessor            NBIy4iydKZgrYDsoUwMIpwcL
creation_time       1658688009
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  hvs.f2HoJHeNrM50FmAUyque66na
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service
root@vault-1:~# 

List root keys accessors.

$ vault list -format json auth/token/accessors | \
  jq --raw-output ".[]" | \
  xargs -I{} vault token lookup -format json -accessor {} | \
  jq --raw-output 'select(.data.path=="auth/token/root") | .data.accessor'

NBIy4iydKZgrYDsoUwMIpwcL
Ie2zOw7FxgyNhx4KJopUpDTo

Revoke old root key.

$ vault token revoke -accessor Ie2zOw7FxgyNhx4KJopUpDTo

Success! Revoked token (if it existed)