Agent auto-auth AppRole renew

ritmo2k · June 8, 2023, 5:10pm

I am trying to understand how auto_auth handles secret renewal with approle.

When I first set this demo up, I did not have remove_secret_id_file_after_reading = false, and the secret was removed after successfully obtaining a token, a secret, and rendering the template.

When I restarted the agent, it failed because the approle secret was no longer present.

So how does this work when the secret expires? Why wasn’t the persisted token sufficient?

vault {
  address = "https://vault.example.com:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "C:/vault/auto_auth_roleid"
      secret_id_file_path = "C:/vault/auto_auth_secretid"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "C:/vault/auto_auth_sink"
    }
  }
}

template {
  source = "C:/vault/auto_auth_src"
  destination = "C:/vault/auto_auth_dst"
}

ritmo2k · June 8, 2023, 5:38pm

I reread the auto-auth docs and see that it refers to bind_secret_id in the approle auth configuration.

Does this assume that the token persisted through the sink is able to continuously renew itself indefinitely?