Created
February 4, 2026 16:01
-
-
Save aelindeman/85f22706326585a1ba6e1e37a37fdbd8 to your computer and use it in GitHub Desktop.
Starts a background process that watches for a Vault token and renews it when its TTL is below a given percent of its total lifetime
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eu -o pipefail | |
| # usage: $ [interval=seconds] [log=path] [renew_ttl_percent=33] ./vault-token-watchdog.sh | |
| main() { | |
| while true; do | |
| if token_info="$(vault token lookup -format=json 2> /dev/null)"; then | |
| remaining_ttl="$(jq -r .data.ttl <<< "$token_info")" | |
| creation_ttl="$(jq -r .data.creation_ttl <<< "$token_info")" | |
| ttl_percent=$((100 * remaining_ttl / creation_ttl)) | |
| if ((ttl_percent < "${renew_ttl_percent:-50}")); then | |
| if ! output="$(vault token renew)"; then | |
| exit_code=$? | |
| echo "$(date -Is) Could not renew Vault token: $exit_code: $output" | |
| else | |
| echo "$(date -Is) Renewed Vault token" | |
| fi | |
| fi | |
| else | |
| echo "Vault token is invalid or has expired" | |
| fi | |
| sleep ${interval:-600} | |
| done | |
| } | |
| main ${log:+&> $log} & | |
| echo "Started Vault token expiry watchdog" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment