Vault Token Renewal: TTLs & max

Vault tokens and dynamic secrets expire on a TTL, and renewals are constrained by multiple ceilings such as Max TTL and Period. Knowing which layer caps which value is a recurring exam theme.

This article sticks to the stable behavior documented officially and covers the difference between TTL, Max TTL, and Period, the rules around renewal, the order in which tuning settings take effect, and the operational pitfalls you need to avoid.

TTL and Max TTL Basics: Definitions and Mental Model

TTL is the remaining lifetime from issuance, while Max TTL is the absolute upper bound on total lifespan including renewals (for non-Periodic tokens). The server clamps every renewal request to these limits, so the actual extension rarely matches the raw -increment you pass.

Periodic tokens assume continuous renewal within each Period and therefore have no theoretical upper bound on total lifespan. Batch tokens are lightweight but cannot be renewed. The lease TTL of dynamic secrets is a separate concept from token TTL and is governed by the secrets engine, role configuration, and mount-level ceilings.

Non-Periodic tokens: TTL can be extended via renewal, but total lifespan is capped by Max TTL.
Periodic tokens: must be renewed within each Period. Max TTL does not apply and lifespan is theoretically unbounded.
Batch tokens: not renewable. Intended for short-lived access-token use cases.
Dynamic secrets: lease TTL and Max TTL depend on the secrets engine and role configuration.

Subject	How initial TTL / Period is set	Renewable?	How the ceiling works
Service token (non-Periodic)	Request value, or role token_ttl, or auth method token_ttl	Yes (renewable=true)	Capped by token_max_ttl (role / auth method) and ultimately the system max_lease_ttl
Service token (Periodic)	Role or auth method token_period	Yes (must renew within each Period)	Max TTL does not apply; theoretically unbounded as long as renewals happen
Batch token	-ttl at issuance (capped by mount / system)	No	Only the initial TTL, since it cannot be renewed
Dynamic secret lease	Role ttl (falls back to mount default_lease_ttl)	Yes, when the role / engine permits	Role max_ttl and mount max_lease_ttl

Lifespan of a non-Periodic token (TTL vs Max TTL)

T0                   T1             T2                T_max
|---------------------|--------------|------------------|
発行                  更新1          更新2               Max TTL到達

残TTL:  ^^^^^^^^^^^^^
更新は可能だが、T_max（発行時刻+token_max_ttl）を越えては延長されない

Renewability by Token Type: Service / Periodic / Batch

Whether a token can be renewed depends on its type and the attributes set at creation. Service tokens are renewable when renewable=true, Periodic tokens must be renewed within each Period, and Batch tokens cannot be renewed at all. Use lookup to verify renewable status and Period.

Here are CLI examples. Issuing a Periodic token requires either an authorized root / admin token or going through an auth method or role that defines a Period.

Inspect renewable, ttl, policies, and period with vault token lookup
Batch tokens are lightweight but cannot be renewed, cannot issue child tokens, and have no cubbyhole
Periodic tokens can run indefinitely with no Max TTL, but they expire instantly the moment you miss a renewal

Basics of token creation and renewal

# サービストークン（非Periodic、更新可）
$ vault token create -ttl=20m
Key                  Value
---                  -----
token                s.XYZ...

# 更新（サーバ側で上限に丸められる）
$ vault token renew -increment=30m s.XYZ...

# バッチトークン（更新不可）
$ vault token create -type=batch -ttl=30m
$ vault token renew s.BATCH...
Error: token is not renewable

# Periodicトークン（権限がある場合の例。認証メソッド/ロールでperiodを設定するのが実務的）
$ vault token create -period=1h
$ vault token lookup s.PERIODIC...
period          1h
renewable       true

How Ceilings Are Decided: Role / Auth Method / System Precedence

Even though the request value looks like the top-level input, the actual initial TTL and renewal ceilings are progressively constrained by role, auth method, and system settings. Exams routinely ask which layer governs which value.

Here is the typical precedence. Once a period is set, the token becomes Periodic and any Max TTL is ignored.

TTL / Period in the issuance request (CLI options or API payload)
Role configuration (e.g. token_ttl, token_max_ttl, token_period)
Auth method tuning (token_ttl, token_max_ttl, token_period)
Mount / system default_lease_ttl and max_lease_ttl (the final ceiling)
When Periodic is in effect, Max TTL does not apply (renewal within each Period is required)

Auth method tuning example (userpass)

# 認証メソッドを有効化
$ vault auth enable userpass

# 初期TTLとMax TTLをチューニング（非Periodic）
$ vault auth tune -token-ttl=30m -token-max-ttl=4h userpass/

# Periodicにしたい場合（Max TTLではなくPeriodが効く）
$ vault auth tune -token-period=1h userpass/

# ユーザー作成とログイン（例）
$ vault write auth/userpass/users/alice password='s3cr3t' policies=default
$ vault login -method=userpass username=alice password='s3cr3t'

# 付与されたトークンの属性を確認
$ vault token lookup

Renewal in Practice: What -increment Really Means, Clamping, and Observability

The -increment on renew is a desired value. The server clamps the resulting TTL against Max TTL, Period, and policy ceilings. Clamping is normal behavior, not an error.

Verify the TTL before and after each renewal with lookup. For Periodic tokens, scheduling renewals at around 60-80% of the Period gives you a stable cadence.

Clamping example: a token with 8 minutes of TTL left and 10 minutes until Max TTL renewed with -increment=30m can extend by at most 10 minutes
Periodic tokens cannot be extended beyond their Period, and they expire immediately if you skip a renewal
Batch tokens cannot be renewed; do not swallow the resulting error in your monitoring

Minimal renew + observe loop

# 現在のTTL/属性を確認
$ vault token lookup s.XYZ...

# 希望増分を指定して更新（結果はサーバで丸め）
$ vault token renew -increment=45m s.XYZ...

# 再度確認
$ vault token lookup s.XYZ...

Dynamic Secret Leases vs Token TTL

Lease TTLs for dynamic secrets are configured independently from token TTL, but when the parent token expires or is revoked, the leases it issued are generally revoked too. In practice, either ensure token TTL is at least as long as the lease in use, or run a reliable token renewal job.

Lease renewal and token renewal use different APIs. Keep these pipelines separate so you do not confuse them, and design for re-issuance on expiry plus least-privilege access.

Renew a lease: sys/leases/renew (vault lease renew)
Renew a token: equivalent to sys/auth/token/renew-self (vault token renew)
Expiring a parent token cascades into revocation of its child leases and child tokens

Treat lease renewal and token renewal as separate concerns

# 例: 動的シークレットのリースIDを更新
$ vault lease renew database/creds/readonly/AbCdEfGh

# 例: アクティブなトークンを延長
$ vault token renew -increment=30m

# 注意: トークンをrevokeすると、当該トークンで発行したリースは取り消される
$ vault token revoke s.XYZ...

Exam Checklist and Common Pitfalls

For Associate prep, make sure two things are airtight: which setting governs which ceiling, and the fact that Periodic tokens are not bound by Max TTL. In production, the renewal schedule and monitoring should always be designed together.

Periodic and Max TTL never apply at the same time (Periodic wins)
Batch tokens cannot be renewed; any token with renewable=false cannot be renewed either
The -increment on renew is a request, not a guarantee — the server clamps the result
Ceilings are tightened in the order role > auth method > system (the stricter side wins)
Expiring a parent token triggers revocation of its child leases and child tokens
Continuously observe renewable / ttl / period with lookup, and fire alerts on TTL thresholds

Check Your Understanding

Associate

問題 1

Which statement about Vault token renewal is most accurate?

A Periodic token, as long as it is renewed within each Period, can stay valid without being bounded by Max TTL.
A Batch token can be renewed exactly once if you pass -increment.
A non-Periodic token is not constrained by Max TTL when Period is unset.
If the CLI requests a TTL longer than the role's token_max_ttl, the CLI value wins.

正解: A

Periodic tokens renew based on the Period and are not capped by Max TTL. Batch tokens cannot be renewed. Non-Periodic tokens are bound by Max TTL, and any CLI-supplied TTL is clamped by the role, auth method, and system limits.

Frequently Asked Questions

Does -increment on renew always extend the TTL by exactly that amount?

No. The value you pass is a request, not a guarantee. The server clamps the result against Max TTL, Period, and policy/mount limits. Verify the actual outcome with vault token lookup.

Can a Periodic token also have a Max TTL?

No. Once token_period is set, the token is Periodic and Max TTL no longer applies. Continuous operation requires regular renewals within each Period.

If I extend a token's TTL, does that also extend the lease TTL of dynamic secrets it issued?

No. Token renewal and lease renewal are different APIs. Renew each lease individually as needed. Also note that when the parent token expires, its leases are generally revoked.

Check what you learned with practice questions

Practice with certification-focused question sets

Try free practice questions

Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.

Vault Token Renewal: Mastering TTL and Max TTL for Reliable Renewal Operations