I am at a loss at how to create a template for vault agent to create a wrapped token of the secret-id for a given approle. Here is the sequence:
- Using the auth/token/create endpoint, create an orphaned token with the policy that has the proper rights to the approle/role
- Save the token to a variable
- Generate a new secret using response wrapping with the token generated in step one
- return the wrapped token into a json file
I can confirm using the vault cli that the policy permissions are correct.
This is my current template:
{{- with secret "auth/token/create" "ttl=5m" "explicit_max_ttl=10m" "policy=vault-agent-policy" "no_parent=true" -}}
{{- $token := .Auth.ClientToken -}}
{{ with secret "auth/approle/role/dev-redis-agent/secret-id" "method=PUT" }}
{{- $wrapped := .WrapInfo.Token -}}
{
"secret_id": {{ $wrapped }},
}
{{ end }}
{{ end }}
Numerous attempts to add wrap_ttl=3m to the auth/approle/role/dev-redis-agent/secret-id have proven unsuccessful.
Does anyone have any suggestions how to implement this flow: Response-wrapping creation in a Consul Template?