How to Create and Revoke Vault Tokens Against a Policy

Introduction

HashiCorp Vault is widely used for secure secret management. One of its key features is fine-grained access control via policies and tokens. Vault tokens are used to authenticate and access secrets stored in HashiCorp Vault. To keep access secure, it is best practice to tie tokens to specific policies and revoke them when no longer needed.

Prerequistise

1. A working Vault setup (development or production mode)
2. Vault CLI is installed and accessible via your terminal
3. Root token or sufficient privileges to manage policies and tokens
4. An SSH user with sudo privileges

Implementation

I. To create a new Vault token again a policy

$ vault token create -ttl=0 -policy=policyname -address=http://127.0.0.1:8200 -tls-skip-verify

a. Purpose:
This command creates a new Vault token that is bound to a specific policy, with the maximum allowed TTL. It is useful when granting long-term access (up to the Vault’s configured max_ttl) to an application or service based on a defined policy.

b. Explanation:
(i) vault token create – Creates a new token
(ii) -ttl=0 – Sets the token’s explicit TTL (Time To Live) to 0, which tells Vault to assign the maximum allowed TTL. Vault will issue a token with a TTL of 768 hours, not infinite.
(iii) -policy=policyname – Binds the token against a policy
(iv) -address=http://127.0.0.1:8200 – Points the Vault CLI to the local Vault server
(v) -tls-skip-verify – Skips TLS verification (not recommended for Production model)

II. To look up the token

$ vault token lookup <your-token>

Replace <your-token> with the actual token string

a. Purpose:
This command is used to view detailed information about a Vault token, such as when it was created, how long it’s valid, which policies it’s tied to, and whether it’s renewable. It’s helpful for auditing and debugging purposes.

b. Explanation:
(i) When it was created
(ii) Its TTL value
(iii) What policies it’s associated with
(iv) Whether it’s renewable
(v) Its metadata and usage limits

III. To revoke a token

$ vault token revoke -address=”http://127.0.0.1:8200″ -tls-skip-verify <your token>

a. Purpose:
This command revokes (invalidates) a Vault token, making it unusable for any further API calls or secret access. Once revoked, the token is immediately deleted from Vault’s active token store.

b. Explanation:
(i) vault token revoke – The base command to revoke a token
(ii) -address=”http://127.0.0.1:8200″ – Specifies the Vault server address
(iii) -tls-skip-verify – Skips TLS certificate verification
(iv) <your token> – The full token string you want to revoke

Conclusion:

Vault tokens provide secure and flexible access to secrets, but must be managed carefully. Mismanaged tokens can lead to over-permissioned access, security gaps, and compliance issues.