HashiCorp Vault Token not renewing

Harness can use a HashiCorp Vault to store secrets used during deploys,

  • Usernames
  • Passwords
  • Certificates

To name a few. After the initial setup customers encounter issues with Harness not being able to pull secrets. A common problem issue is the wrong type of token was during the initial setup.

To integrate with Harness, you need to create a periodic token.

The command to create a periodic token is

vault token create -policy=<name-of-policy> -period=1d.

The period should be significantly greater than the Renewal Interval given in Harness. For example, if you set a period for ~60 minutes, then the renewal should be at most 45 minutes to give us enough time to retry in case of abnormal failures.

If a customer setup a period token the screen output would look like this,

Notice the TTL of the token. A non-periodic token you cannot increase the TTL to be greater than what it is currently.

Here is a sample for a periodic token.

Notice that there is period field in the output.