Recommended Vault Token TTL

We are using Percona as a database for a number of front end clients, configuring TDE in Percona and using HashiCorp Vault as the Key Management System. We plan on using Vault Agent and AppRole authentication to repeatedly generate new Vault Tokens for Percona to access HashiCorp Vault as they expire.

What is the best practice/recommended TTL for tokens before they should be renewed, or how do we decide the best TTL for our application?

That’s completely up to you. The best-practice approach is to do the minimum needed to accomplish task. Minimum I’d use is 5 minutes though if you try to make it too small, system and network latency will cause issues.