租用时间后删除机密

Question

我开始使用保险库，当我在保险库中添加秘密时，我通过了租约 = 10 秒，但 10 秒后秘密没有被删除。我怎样才能从保险库中删除秘密？

vault write -address=http://localhost:8200 secret/foo name=foo lease=10s
Success! Data written to: secret/foo

vault read -address=http://localhost:8200 -format=json secret/foo
{
        "request_id": "498db605-a238-2d99-2e36-7045c826f48d",
        "lease_id": "",
        "lease_duration": 10,
        "renewable": false,
        "data": {
                "lease": "10s",
                "name": "foo"
        },
        "warnings": null
}

Answer 1

KV 秘密后端的秘密 TTL 实际上并不是为了删除秘密，它更像是一个咨询字段，用于检索秘密：https://www.vaultproject.io/docs/secrets/kv/index.html#ttls

Unlike other secrets engines, the KV secrets engine does not enforce TTLs for expiration. Instead, the lease_duration is a hint for how often consumers should check back for a new value. This is commonly displayed as refresh_interval instead of lease_duration to clarify this in output.

Even will a ttl set, the secrets engine never removes data on its own. The ttl key is merely advisory.

您可以使用 cubbyhole 对某种秘密实施 TTL，一旦令牌过期，cubbyhole 就会被销毁。每个 cubbyhole 的范围仅限于使用它的令牌，但是没有 2 个令牌可以访问彼此的 cubbyhole：https://www.vaultproject.io/docs/secrets/cubbyhole/index.html