Approle + Vault Agent + sink file in RAM + TTL

Hi there,

what would be the best approach when utilizing approle with vault agent?

From what I undestood, vault reads the secretid from a file, authenticates, retrieves the token and saves it to sink file. SecretID file itself is then deleted.

But what if the token e.g. sink file is saved in RAM only, so after a reboot I need to re-authenticate. Yes, I know I can disable SecretID file deletion, but this creates a security issue from my perspective.

Is the below scenario possible?
Both secretID (in file on non-volatile storage) and token (in memory) would have some kind of TTL. So if I do only the OS reboot, SecretID file will be present (because I disable the deletion) and is able to reauthenticate and retrieve the token, saving it to memory.
BUT, when somebody lets say steals my server and isn’t able to renew the SecretID itself within an hour, he wouldn’t be able to retrieve the token, as the old SecretID would be unusable.

Is vault-agent itself capable of secretID rotation (saving it to specified file non non-volatile storage)? Token renewal should be possible, as far as I know, but I could’t find defnitive info about the SecretID.
What is the best practice?
What is the most reasonable TTL setting in your opinion?