hashicorp · saiaunghlyanhtet · Nov 30, 2024
@@ -0,0 +1,3 @@
+```release-note:improvement
+CLI: adds an optional flag (--fail-if-not-fulfilled) to the renew command, which lets the renew command fail on unfulfillable requests and allows command chaining to allow further executions.
+```
@@ -21,8 +21,9 @@ var (
 type TokenRenewCommand struct {
 	*BaseCommand
 
-	flagAccessor  bool
-	flagIncrement time.Duration
+	flagAccessor           bool
+	flagIncrement          time.Duration
+	flagFailIfNotFulfilled bool
 }
 
 func (c *TokenRenewCommand) Synopsis() string {
@@ -86,6 +87,15 @@ func (c *TokenRenewCommand) Flags() *FlagSets {
 			"numeric string with suffix like \"30s\" or \"5m\".",
 	})
 
+	f.BoolVar(&BoolVar{
+		Name:       "fail-if-not-fulfilled",
+		Target:     &c.flagFailIfNotFulfilled,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Fail if the requested TTL increment cannot be fully fulfilled.",
+	})
+
 	return set
 }
 
@@ -140,5 +150,10 @@ func (c *TokenRenewCommand) Run(args []string) int {
 		return 2
 	}
 
+	if c.flagFailIfNotFulfilled && secret.Auth.LeaseDuration < int(increment.Seconds()) {
+		c.UI.Info("Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled")
+		return 1
+	}
+
 	return OutputSecret(c.UI, secret)
 }
@@ -56,6 +56,18 @@ func TestTokenRenewCommand_Run(t *testing.T) {
 			"",
 			0,
 		},
+		{
+			"fail_if_not_fulfilled_exceeds_max_ttl",
+			[]string{"-increment", "33d", "--fail-if-not-fulfilled"},
+			"Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled",
+			1,
+		},
+		{
+			"fail_if_not_fulfilled_within_max_ttl",
+			[]string{"-increment", "30m", "--fail-if-not-fulfilled"},
+			"",
+			0,
+		},
 	}
 
 	t.Run("validations", func(t *testing.T) {

@@ -36,6 +36,12 @@ Renew a token requesting a specific increment value:
 $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
 ```
 
+Fail if the requested TTL increment cannot be fully fulfilled:
+
+```shell-session
+$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 --fail-if-not-fulfilled || vault login
+```
+
 ## Usage
 
 The following flags are available in addition to the [standard set of
@@ -53,3 +59,7 @@ flags](/vault/docs/commands) included on all commands.
   Vault will not honor this request for periodic tokens. If not supplied, Vault will use
   the default TTL. This is specified as a numeric string with suffix like "30s"
   or "5m". This is aliased as "-i".
+
+- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be fully fulfilled.
+Vault will allow token renewal request completion with capped duration even if renew request fails.
+And Vault will also allow command chaining after renew command.