I tried to implement vault agent and have my vault agent command running under a docker container without issue. But, after several times of token renewal, it failed to connect to the vault server thus stop working.
2025-10-07T07:20:18.021Z [INFO] agent.auth.handler: renewed auth token
2025-10-07T07:34:41.290Z [INFO] agent.auth.handler: renewed auth token
2025-10-07T07:46:09.229Z [INFO] agent.auth.handler: renewed auth token
2025-10-07T07:20:18.014Z [INFO] agent.auth.handler: authentication successful, sending token to sinks
2025-10-07T07:20:18.014Z [INFO] agent.auth.handler: starting renewal process
2025-10-07T07:20:18.001Z [INFO] agent.auth.handler: authenticating
2025-10-07T07:46:09.229Z [INFO] agent.auth.handler: lifetime watcher done channel triggered, re-authenticating
2025-10-07T07:46:10.229Z [INFO] agent.auth.handler: authenticating
2025-10-07T07:46:10.237Z [ERROR] agent.auth.handler: error authenticating:
error=
| Error making API request.
| URL: PUT http://vault-01:8200/v1/auth/approle/login
| * invalid role or secret ID
| Code: 400. Errors:
backoff=930ms
I have an approle named webapp-role
vault write auth/approle/role/webapp-role \
bind_secret_id=true \
secret_id_num_uses=500 \
policies="vault-agent-policy" \
secret_id_ttl=1440m \
token_ttl=20m \
token_max_ttl=30m
The secret_id_ttl is set to 1 day (and set inside the vault agent container as a plain text file). I still don’t understand the concept behind “reauthenticating” using secret_id since it tries to reauth about 20-30 minutes after the vault agent initialized.
Probably there is a step that I am missing? Thank you.
Tags: vault-agent, api-proxy, secret_id