CLI: add an option for renew command fail on non-fullfillable request to allow command chaining (#29060)

Signed-off-by: saiaunghlyanhtet <saiaunghlyanhtet2003@gmail.com>
2025-11-01 11:08:10 +00:00 · 2025-02-05 04:04:26 +09:00
parent 7b40df7b64
commit 16438470f7
4 changed files with 42 additions and 2 deletions
--- a/changelog/29060.txt
+++ b/changelog/29060.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+CLI: adds an optional flag (--fail-if-not-fulfilled) to the renew command, which lets the renew command fail on unfulfillable requests and allows command chaining to allow further executions.
+```
--- a/command/token_renew.go
+++ b/command/token_renew.go
@@ -21,8 +21,9 @@ var (
 type TokenRenewCommand struct {
 	*BaseCommand

-	flagAccessor  bool
-	flagIncrement time.Duration
+	flagAccessor           bool
+	flagIncrement          time.Duration
+	flagFailIfNotFulfilled bool
 }

 func (c *TokenRenewCommand) Synopsis() string {
@@ -86,6 +87,15 @@ func (c *TokenRenewCommand) Flags() *FlagSets {
 			"numeric string with suffix like \"30s\" or \"5m\".",
 	})

+	f.BoolVar(&BoolVar{
+		Name:       "fail-if-not-fulfilled",
+		Target:     &c.flagFailIfNotFulfilled,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Fail if the requested TTL increment cannot be fully fulfilled.",
+	})
+
 	return set
 }

@@ -140,5 +150,10 @@ func (c *TokenRenewCommand) Run(args []string) int {
 		return 2
 	}

+	if c.flagFailIfNotFulfilled && secret.Auth.LeaseDuration < int(increment.Seconds()) {
+		c.UI.Info("Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled")
+		return 1
+	}
+
 	return OutputSecret(c.UI, secret)
 }
--- a/command/token_renew_test.go
+++ b/command/token_renew_test.go
@@ -56,6 +56,18 @@ func TestTokenRenewCommand_Run(t *testing.T) {
 			"",
 			0,
 		},
+		{
+			"fail_if_not_fulfilled_exceeds_max_ttl",
+			[]string{"-increment", "33d", "--fail-if-not-fulfilled"},
+			"Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled",
+			1,
+		},
+		{
+			"fail_if_not_fulfilled_within_max_ttl",
+			[]string{"-increment", "30m", "--fail-if-not-fulfilled"},
+			"",
+			0,
+		},
 	}

 	t.Run("validations", func(t *testing.T) {
--- a/website/content/docs/commands/token/renew.mdx
+++ b/website/content/docs/commands/token/renew.mdx
@@ -36,6 +36,12 @@ Renew a token requesting a specific increment value:
 $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
 ```

+Fail if the requested TTL increment cannot be fully fulfilled:
+
+```shell-session
+$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 --fail-if-not-fulfilled || vault login
+```
+
 ## Usage

 The following flags are available in addition to the [standard set of
@@ -56,3 +62,7 @@ flags](/vault/docs/commands) included on all commands.

 - `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
 token. When this option is selected, the output will NOT include the token.
+
+- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be
+fully fulfilled. Vault allows command chaining and token renewal request
+completion with capped duration even if renew request fails.