Help for demystifying trusted entity in AppRole


I understand most of the workflow except when the secret_id expires.
Who is responsible for providing a new secret_id at that time ?
At first, it should be a separate entity.

  • Can it be a dedicated microservice?
  • A Cron that generates secret_ids every hour?

Thanks for your help.

It very much depends on your architecture.

Sometimes the answer may be to just set the secret_id to never expire.


We lose the benefit of the AppRole. You might as well use a simple Token.

No, there are reasons someone might prefer to use AppRole with non-expiring SecretID over simple tokens:

  • You can’t create non-expiring tokens apart from root tokens, but with AppRole you can create non-expiring credentials with particular policies. This may be important for example, when configuring credentials in an environment where there is no option to use a trusted orchestrator to automatically rotate credentials.

  • The configurability to control token TTLs generated from the AppRole auth method exceeds the configurability of the token auth method.

Ultimately, AppRole is a toolbox with which to build specific solutions according to individual requirements - that is why there is no single simple answer to your initial question.

1 Like