Boundary credential store token


I want to allow users to get postgres credentials from boundary.
Everything works fine, but the way I create the token for vault is manually and after a period of time (TTL) the credentials disappears and I should create again a credentials store.
How can I use Boundary to authenticate with Vault with a permanent token or by k8s service account without creating new tokens again and again?

When you say the credentials disappear, what are you seeing when you try to connect to your postgres target after the credential library stops working? Are you creating the Vault token as a renewable token and does the Vault token have policies attached in Vault that allow it to renew itself?

I created the token for period of 20m and set it in the credentials store.
Does Boundary renew the token even though I’m not using the credentials?

Hello @ofir.kuperiu,
Thanks for your report and trying to make Boundary a better product!

The Boundary controller should be running a periodic job that monitors all your credential store Vault tokens, and renews them at about half way to their expiry regardless of having credentials attached to the token. If the only credential store you have is that one with the 20m token, I would expect it to be renewed every 10 minutes. This does, however, have a requirement that your Boundary controller and your Vault server are up and running consistently to be able to perform the renewal.

We have received another report similar to yours, I have not been able to reproduce an issue with token renewal on my side yet. I was planning to spend some cycles next week looking into this.