Root tokens in Vault are unique in lacking a TTL. The HashiCorp Vault documentation states: "Non-root tokens are associated with a TTL, which determines for how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire." It provides an example: "For example, notice that the value for token_duration is the infinity symbol, meaning it lives forever," as seen in a vault login output for a root token.
The docs elaborate: "Root tokens are tokens with an infinite TTL that have the ‘root’ policy attached to them. Because of their power, it is strongly recommended that they be used only as necessary and then immediately revoked when no longer needed." In contrast:
Child tokens (A)inherit TTLs from parents.
Parent tokens (B)typically have TTLs unless they are root.
Service tokens (C)have configurable TTLs for ongoing use.
Batch tokens (E)have fixed TTLs for ephemeral tasks.Thus, D (Root tokens) is correct.
[Reference:, HashiCorp Vault Documentation - Tokens: Token Time to Live, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit