I am trying to understand how auto_auth
handles secret renewal with approle
.
When I first set this demo up, I did not have remove_secret_id_file_after_reading = false
, and the secret was removed after successfully obtaining a token, a secret, and rendering the template.
When I restarted the agent, it failed because the approle secret was no longer present.
So how does this work when the secret expires? Why wasn’t the persisted token sufficient?
vault {
address = "https://vault.example.com:8200"
retry {
num_retries = 5
}
}
auto_auth {
method "approle" {
config = {
role_id_file_path = "C:/vault/auto_auth_roleid"
secret_id_file_path = "C:/vault/auto_auth_secretid"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "C:/vault/auto_auth_sink"
}
}
}
template {
source = "C:/vault/auto_auth_src"
destination = "C:/vault/auto_auth_dst"
}