Check the lifetime (expiration date) for a token in Puppet Enterprise

After you generate a token, you can check its lifetime (expiration date) using the console in Puppet Enterprise 2021.0 and later. You can use the RBAC API tokens endpoint to check token expiration in all supported versions of PE.

Version and installation information

PE version: All supported

Solution

Check token expiration dates in the console in PE 2021.0 and later

In the console, click on Access Control, and then click on the Users tab. Click on a user. To get information about the user’s tokens, including expiration dates, click the Tokens tab.

Check token expiration dates using the command line

You can also check the expiration of a specific token in the command line using the RBAC API tokens endpoint.

On the primary server, run the following, replacing with the token you’d like to learn more about:

curl -X POST \
    --cert   $(puppet config print hostcert) \
    --key    $(puppet config print hostprivkey) \
    --cacert $(puppet config print localcacert) \
    -d '{"token": "<TOKEN>", "update_last_activity?": false}' \
    https://$(puppet config print server):4433/rbac-api/v2/auth/token/authenticate

A successful request returns a 200 OK response and JSON object representing the RBAC subject and associated token data including the expiration date, for example:

{
 "description":null,
 "creation":"YYYY-MM-DDT22:24:30Z",
 "email":"franz@kafka.com",
 "is_revoked":false,
 "last_active":"YYYY-MM-DDT22:24:31Z",
 "last_login":"YYYY-MM-DDT22:24:31.340Z",
 "expiration":"YYYY-MM-DDT22:29:30Z",
 "is_remote":false,
 "client":null,
 "login":"franz@kafka.com",
 "is_superuser":false,
 "label":null,
 "id":"c84bae61-f668-4a18-9a4a-5e33a97b716c",
 "role_ids":[1, 2, 3],
 "user_id":"c84bae61-f668-4a18-9a4a-5e33a97b716c",
 "timeout":null,
 "display_name":"Franz Kafka",
 "is_group":false
}