MySQL secret backend: Ability to list generated credentials

[StyleT]

Hi!
Looks currently it's impossible to list all active credentials for MySQL secret backend. For example I can't review a list of creds that are currently in use. This feature is extremely useful to revoke all existing credentials for some role.

Please correct me if I missed something.

[StyleT]

After some research I see that looks like the same issue exists for all dynamic backends.

[chrishoffman]

You can use the /sys/revoke-prefix endpoint to revoke all credentials created for a given role or role prefix. Since the CLI is just a wrapper around the API, you can also do the following:

vault revoke -prefix=true mysql/creds/role-name/

See https://www.vaultproject.io/api/system/revoke-prefix.html.

[StyleT]

@chrishoffman yep, it's a good workaround for bulk revocation but this doesn't help me to perform audit of credentials that are currently in use. I'm personally interesting in tokens that were issued a long time ago, have big lease time, etc..

[chrishoffman]

The ability to list and view lease information will be available in 0.7.1 which should be released shortly. See #2650.