Best practices for Vault Agent involve providing it with a one-time-use wrapped SecretID to be used with the AppRole auto-auth method. However, best practice also involves not storing the SecretID after it’s unwrapped, which means Vault Agent can’t re-authenticate with Vault after a restart.
How are people handling this problem? What are the best practices for handling Vault Agent restarts?
It depends on the requirements of the workload for which Vault agent is providing the secrets as well as the trust level of the environment where they are running.
Vault’s response wrapping is only used in this case to guarantee secure delivery of the secretid without using out of band methods. Once delivered though, you may decide to keep it or remove it based on your assessment of the risk and viability of either option.
If, say, the token retrieved using the secretid only gives the agent access to read database creds and there’s a single application running in a trusted instance, pod, etc. that needs those and you have no other means of delivering newly wrapped secretids after the setup is done, keeping it may be your only option.
If, on the other hand, you’re running your workload in a primarily untrusted shared environment where you’re capable of injecting new secretids or tokens every time your instance or pod restarts, then you probably want to remove it after using, leaving the agent with the task of managing in-memory tokens only.
Note I left the definition of trust purposely vague, so that you can make that judgment for yourself.