16. Session token lifecycle management (renewal, re-login and revocation)
A Vault session token (also referred to as LoginToken) is quite similar to a lease as it has a TTL, max TTL, and may expire.
Once a login token expires, it cannot be used anymore to interact with Vault.
Therefore, Spring Vault ships with a SessionManager API for imperative and reactive use.
Spring Cloud Vault maintains the session token lifecycle by default. Session tokens are obtained lazily so the actual login is deferred until the first session-bound use of Vault. Once Spring Cloud Vault obtains a session token, it retains it until expiry. The next time a session-bound activity is used, Spring Cloud Vault re-logins into Vault and obtains a new session token. On application shut down, Spring Cloud Vault revokes the token if it was still active to terminate the session.
Session lifecycle is enabled by default and can be disabled by setting spring.cloud.vault.session.lifecycle.enabled
to false.
Disabling is not recommended as session tokens can expire and Spring Cloud Vault cannot longer access Vault.
spring.cloud.vault:
session.lifecycle:
enabled: true
refresh-before-expiry: 10s
expiry-threshold: 20s-
enabledcontrols whether session lifecycle management is enabled to renew session tokens. Enabled by default. -
refresh-before-expirycontrols the point in time when the session token gets renewed. The refresh time is calculated by subtractingrefresh-before-expiryfrom the token expiry time. Defaults to5 seconds. -
expiry-thresholdsets the expiry threshold. The threshold represents a minimum TTL duration to consider a session token as valid. Tokens with a shorter TTL are considered expired and are not used anymore. Should be greater thanrefresh-before-expiryto prevent token expiry. Defaults to7 seconds.
See also: Vault Documentation: Token Renewal