Point people in the right direction for tokens used in transit autounseal. (#16951)

2025-11-01 11:08:10 +00:00 · 2022-08-31 10:37:25 -04:00
parent 0636467e5d
commit 4dc81554ce
2 changed files with 9 additions and 2 deletions
--- a/website/content/docs/concepts/tokens.mdx
+++ b/website/content/docs/concepts/tokens.mdx
@@ -29,8 +29,9 @@ holder is allowed to do within Vault. Other mapped information includes
 metadata that can be viewed and is added to the audit log, such as creation
 time, last renewal time, and more.

-
-Read on for a deeper dive into token concepts.
+Read on for a deeper dive into token concepts.  See the
+[tokens tutorial](https://learn.hashicorp.com/tutorials/vault/tokens)
+for details on how these concepts play out in practice.

 ## Token Types

--- a/website/content/docs/configuration/seal/transit.mdx
+++ b/website/content/docs/configuration/seal/transit.mdx
@@ -113,6 +113,12 @@ path "<mount path>/decrypt/<key name>" {
 }
 ```

+Other considerations for the token used:
+* it should probably be an [orphan token](/docs/concepts/tokens#token-hierarchies-and-orphan-tokens),
+otherwise when the parent token expires or gets revoked the seal will break.
+* consider making it a [periodic token](/docs/concepts/tokens#periodic-tokens)
+and not setting an explicit max TTL, otherwise at some point it will cease to be renewable.
+
 ## Key Rotation

 This seal supports key rotation using the Transit Secret Engine's key rotation endpoints. See