mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/commands/token/renew.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

111 lines
4.1 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: token renew - Command
description: |-
The "token renew" renews a token's lease, extending the amount of time it can
be used. If a TOKEN is not provided, the locally authenticated token is used.
Lease renewal will fail if the token is not renewable, the token has already
been revoked, or if the token has already reached its maximum TTL.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# token renew
The `token renew` renews a token's lease, extending the amount of time it can be
used. If a TOKEN is not provided, the locally authenticated token is used. Lease
renewal will fail if the token is not renewable, the token has already been
revoked, or if the token has already reached its maximum TTL.
## Examples
Create a token first:
```shell-session
$ vault token create
Key Value
--- -----
token hvs.CAESIJk8P_ieg60yf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
token_accessor ntL634hzE0CtQnyCIqkxSa82
token_duration 768h
token_renewable true
token_policies [default]
```
Renew a token using the token value and the `/auth/token/renew` endpoint:
```shell-session
$ vault token renew hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
Key Value
--- -----
token n/a
token_accessor ntL634hzE0CtQnyCIqkxSa82
token_duration 768h
token_renewable true
token_policies [default]
```
Alternatively, renew a token using its accessor value. Renewing with the
accessor vault is is useful when you do not have the actual token:
```shell-session
$ vault token renew -accessor ntL634hzE0CtQnyCIqkxSa82
Key Value
--- -----
token n/a
token_accessor ntL634hzE0CtQnyCIqkxSa82
token_duration 768h
token_renewable true
token_policies [default]
```
Renew the currently authenticated token (this uses the `/auth/token/renew-self`
endpoint and permission):
```shell-session
$ vault token renew
```
Renew a token requesting a specific increment value:
```shell-session
$ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU
```
Fail if the requested TTL increment cannot be fully fulfilled:
```shell-session
$ vault token renew -increment=30m hvs.CAESIJk8P_ieg6Oyf9c92rl0S5j1mdMh7docAoHVS2q7UQ8bGh4KHGh2cy5uQ3dNQUhvbnFhTWl5cVJpMGxpVDhMZWU --fail-if-not-fulfilled || vault login
```
You can renew tokens using the token itself or the associated accessor.
The `token_accessor` parameter lets you perform limited operations (like
renewal) without requiring sensitive data so you can manage tokens
without handling the secret token itself.
## Usage
The following flags are available in addition to the [standard set of
flags](/vault/docs/commands) included on all commands.
### Output options
- `-format` `(default: "table")` - Print the output in the given format. Valid
formats are "table", "json", or "yaml". This can also be specified via the
`VAULT_FORMAT` environment variable.
### Command options
- `-increment` `(duration: "")` - Request a specific increment for renewal.
Vault will not honor this request for periodic tokens. If not supplied, Vault will use
the default TTL. This is specified as a numeric string with suffix like "30s"
or "5m". This is aliased as "-i".
- `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
token. When this option is selected, the output will NOT include the token.
- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be
fully fulfilled. Vault allows command chaining and token renewal request
completion with capped duration even if renew request fails.
Reference in New Issue View Git Blame Copy Permalink