diff --git a/changelog/29060.txt b/changelog/29060.txt new file mode 100644 index 000000000000..41e9ab952d2f --- /dev/null +++ b/changelog/29060.txt @@ -0,0 +1,3 @@ +```release-note:improvement +CLI: adds an optional flag (--fail-if-not-fulfilled) to the renew command, which lets the renew command fail on unfulfillable requests and allows command chaining to allow further executions. +``` \ No newline at end of file diff --git a/command/token_renew.go b/command/token_renew.go index c354b4e6a506..b7e5f573cf27 100644 --- a/command/token_renew.go +++ b/command/token_renew.go @@ -21,8 +21,9 @@ var ( type TokenRenewCommand struct { *BaseCommand - flagAccessor bool - flagIncrement time.Duration + flagAccessor bool + flagIncrement time.Duration + flagFailIfNotFulfilled bool } func (c *TokenRenewCommand) Synopsis() string { @@ -86,6 +87,15 @@ func (c *TokenRenewCommand) Flags() *FlagSets { "numeric string with suffix like \"30s\" or \"5m\".", }) + f.BoolVar(&BoolVar{ + Name: "fail-if-not-fulfilled", + Target: &c.flagFailIfNotFulfilled, + Default: false, + EnvVar: "", + Completion: complete.PredictNothing, + Usage: "Fail if the requested TTL increment cannot be fully fulfilled.", + }) + return set } @@ -140,5 +150,10 @@ func (c *TokenRenewCommand) Run(args []string) int { return 2 } + if c.flagFailIfNotFulfilled && secret.Auth.LeaseDuration < int(increment.Seconds()) { + c.UI.Info("Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled") + return 1 + } + return OutputSecret(c.UI, secret) } diff --git a/command/token_renew_test.go b/command/token_renew_test.go index 4fc469995b05..fa2a1b65642f 100644 --- a/command/token_renew_test.go +++ b/command/token_renew_test.go @@ -56,6 +56,18 @@ func TestTokenRenewCommand_Run(t *testing.T) { "", 0, }, + { + "fail_if_not_fulfilled_exceeds_max_ttl", + []string{"-increment", "33d", "--fail-if-not-fulfilled"}, + "Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled", + 1, + }, + { + "fail_if_not_fulfilled_within_max_ttl", + []string{"-increment", "30m", "--fail-if-not-fulfilled"}, + "", + 0, + }, } t.Run("validations", func(t *testing.T) { diff --git a/website/content/docs/commands/token/renew.mdx b/website/content/docs/commands/token/renew.mdx index c957db9f1b43..8372eb2e35b3 100644 --- a/website/content/docs/commands/token/renew.mdx +++ b/website/content/docs/commands/token/renew.mdx @@ -36,6 +36,12 @@ Renew a token requesting a specific increment value: $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 ``` +Fail if the requested TTL increment cannot be fully fulfilled: + +```shell-session +$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 --fail-if-not-fulfilled || vault login +``` + ## Usage The following flags are available in addition to the [standard set of @@ -53,3 +59,7 @@ flags](/vault/docs/commands) included on all commands. Vault will not honor this request for periodic tokens. If not supplied, Vault will use the default TTL. This is specified as a numeric string with suffix like "30s" or "5m". This is aliased as "-i". + +- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be fully fulfilled. +Vault will allow token renewal request completion with capped duration even if renew request fails. +And Vault will also allow command chaining after renew command.