Difficulty: beginner
Estimated Time: 10 minutes


Before a client can interact with HashiCorp Vault, it must authenticate against an auth method to acquire a token. This token has policies attached so that the behavior of the client can be governed.

Since tokens are the core method for authentication within Vault, there is a token auth method (often referred to as token store). This is a special auth method responsible for creating and storing tokens.

Consider the following scenarios often encountered outside of Vault:

  • There is no break glass procedure available for revoking access to credentials in the event of a breach
  • Credentials for external systems (e.g. AWS, MySQL) are shared
  • Need temporal access to a database in a specific scenario


Vault has built-in support for secret revocation. Vault can revoke not only a single secret, but also a tree of secrets. For example, Vault can revoke all secrets read by a specific user or all secrets of a specific type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

If a user or machine needs a temporal access to Vault, you can set a short TTL or a number of uses to a token so the token is automatically revoked at the end of its life.

This also allows for organizations to plan and train for various "break glass" procedures.

Almost all operations in HashiCorp Vault requires a token; therefore, it is important to understand the token lifecycle as well as different token parameters that affects the token's lifecycle. This lab demonstrates various token parameters.

  1. Create a Short-Lived Tokens
  2. Token Renewal
  3. Create Tokens with Use Limit
  4. Create a Token Role and Periodic Token
  5. Create an Orphan Token

This scenario gave you an introduction to Vault token lifecycle.

  1. Created a Short-Lived Tokens
  2. Renewed Token TTL
  3. Created Tokens with Use Limit
  4. Created a Token Role and Periodic Token
  5. Created an Orphan Token

To learn more, please reference the following:


Vault Token Lifecycle

Step 1 of 7

Getting Started

Enter the following command to start the Vault server in development mode.

Click on the command () will automatically copy it into the terminal and execute it.

vault server -dev -dev-root-token-id="root"

Scroll up the Terminal to locate the following output:

==> Vault server configuration:

             Api Address:
                     Cgo: disabled
         Cluster Address:
              Listener 1: tcp (addr: "", cluster address: "", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v1.0.0
             Version Sha: c19cef14891751a23eaa9b41fd456d1f99e7e856

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

When Vault is running in development mode, it runs entirely in-memory that the data does not get persisted. This build-in, pre-configured server is useful for local development, testing and exploration.

Login with root token

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable:

export VAULT_ADDR=''

Login with the generated root token.

vault login root

Now, you are logged in as a root and ready to play!