Hello all,
I have a few questions regarding the skip_child_token attribute of the Vault Terraform Provider.
Setup context:
Terraform is running within a GitHub Actions workflow. The Vault provider is using the auth_login_jwt configuration block with mount and role set in addition to a GHA ID Token (JWT) passed via the well known environment variable. The workflow/pipeline is not acquiring a vault token prior to Terraform execution (plan/apply).
Questions:
- Token flow
In the context I outlined above and skip_child_token is set to false – Are two tokens acquired by the provider? One when exchanging the GHA ID Token and then a second immediately after to actually be used by the provider to configure Vault?
- Rationale for child token
Why it is strongly encouraged to allow the provider to create ephemeral child tokens? I follow why this practice might be encouraged when a token is directly passed to the provider, but in cases where an auth method like JWT, AppRole, etc is utilized – why bother?
- Token Type
Does setting skip_child_token to false, effectively require that token_type must be configured to service or default-service for the auth method/role in question? My understanding is that batch tokens cannot create child tokens and I could not find evidence that the provider goes out of its way to request a service token.
Thank you!