Agent auto-auth AppRole renew

ritmo2k · June 8, 2023, 5:10pm

I am trying to understand how auto_auth handles secret renewal with approle.

When I first set this demo up, I did not have remove_secret_id_file_after_reading = false, and the secret was removed after successfully obtaining a token, a secret, and rendering the template.

When I restarted the agent, it failed because the approle secret was no longer present.

So how does this work when the secret expires? Why wasn’t the persisted token sufficient?

vault {
  address = "https://vault.example.com:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "C:/vault/auto_auth_roleid"
      secret_id_file_path = "C:/vault/auto_auth_secretid"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "C:/vault/auto_auth_sink"
    }
  }
}

template {
  source = "C:/vault/auto_auth_src"
  destination = "C:/vault/auto_auth_dst"
}

ritmo2k · June 8, 2023, 5:38pm

I reread the auto-auth docs and see that it refers to bind_secret_id in the approle auth configuration.

Does this assume that the token persisted through the sink is able to continuously renew itself indefinitely?

Topic		Replies	Views
Why does vault-agent not attempt re-authenticate, with secret-id when a token expired and cannot be renewed? Vault	0	284	October 14, 2023
Auto-renewing AppRole token Vault vault	3	3081	January 31, 2022
Approle + Vault Agent + sink file in RAM + TTL Vault	0	318	October 20, 2022
How can I have a robust vault agent configuration, using AppRole Vault	0	505	September 3, 2020
Vault Agent Auto Auth & secrets lifetime Vault vault	3	588	January 12, 2021

Agent auto-auth AppRole renew

Related topics