HashiCorp Vault — alert when a service token is about to expire
A service VAULT_TOKEN is close to expiry (no auto-renewal, or non-renewable=true). The service hits Vault — and one day it gets 403 and loses access to its secrets.
Recipe
#!/usr/bin/env bash
# /etc/cron.d/vault-token
# 0 */6 * * * root /opt/vault-token.sh
export VAULT_ADDR=${VAULT_ADDR}
export VAULT_TOKEN=${VAULT_TOKEN}
WARN_HOURS=${WARN_HOURS:-24}
# `token lookup` returns ttl in seconds
TTL=$(vault token lookup -format=json | jq '.data.ttl')
LEFT_HOURS=$((TTL / 3600))
if [ "$LEFT_HOURS" -lt "$WARN_HOURS" ]; then
curl -fsS "$HEARTBEAT_URL" --data "vault_ttl_h=$LEFT_HOURS,threshold=$WARN_HOURS"
exit 2
fi
echo "OK (TTL=${LEFT_HOURS}h)"Same thing in Enterno.io
Wire to an Enterno heartbeat on a 6-hour schedule — learn about a "forgot to renew" before the service starts failing.
Related recipes
Compliance mandates rotating DB credentials every 90 days. Vault static-creds engine should do it, but someone set max_ttl=0 — the secret lives forever. The auditor finds it first.
Someone ran `vault secrets disable` (debug or drift) — the pipeline reaches for DB creds and gets 404. Vault does not warn — for it this is a "normal admin action".
Site is on the HSTS preload list, but after an nginx refactor the header is gone. In 3 months the domain will be removed from the preload list. Need a daily check.