Hi, i have a simple setup of Vault, running as an oidc-identity-provider. This involves creating an identity/oidc/role and issuing a command like the following to generate a JWT:
vault read identity/oidc/role/acme
I then have a consul template demo-template.yml like this:
# Rendered using Consul Template at {{ timestamp }}
# Get JWTs from vault!
{{ with secret "identity/oidc/token/acme"}}
{{ .Data.token }}
{{ end }}
and run as
consul-template -template “demo-template.yml.tmpl:output.txt:cat output.txt”
This works - to an extent. A JWT is created every 1.5 mins, but i dont know why. The role TTL i have set for the JWT is 30 days - and I can see that is reflected in the expiry claim of the JWT. Can anyone help me understand what is actually triggering the JWT to be created/refreshed?
Using hashicorp/consul:latest and hashicorp/vault:latest
Thanks
This is the consul template debug logs (feel free to decode the JWT - its just from a through away vault instance/key!)
2024/03/26 16:32:15.514596 [DEBUG] (runner) receiving dependency vault.read(identity/oidc/token/acme)
2024/03/26 16:32:15.514644 [DEBUG] (runner) initiating run
2024/03/26 16:32:15.514649 [DEBUG] (runner) checking template c363382866fd902acd2ab0b571012b6e
2024/03/26 16:32:15.515004 [DEBUG] (runner) rendering "demo-template.yml.tmpl" => "output.txt"
2024/03/26 16:32:15.522869 [INFO] (runner) rendered "demo-template.yml.tmpl" => "output.txt"
2024/03/26 16:32:15.522886 [DEBUG] (runner) appending command "cat output.txt" from "demo-template.yml.tmpl" => "output.txt"
2024/03/26 16:32:15.522892 [DEBUG] (runner) diffing and updating dependencies
2024/03/26 16:32:15.522900 [DEBUG] (runner) vault.read(identity/oidc/token/acme) is still needed
2024/03/26 16:32:15.522904 [INFO] (runner) executing command "cat output.txt" from "demo-template.yml.tmpl" => "output.txt"
2024/03/26 16:32:15.522926 [INFO] (child) spawning: cat output.txt
# Rendered using Consul Template at 2024-03-26T16:32:15Z
# Get JWTs from vault!
eyJhbGciOiJSUzI1NiIsImtpZCI6IjhiZDkyOWRlLTcyODUtN2ZhYS01MjVkLWZiNDI0MGM3NWNlMCJ9.eyJhdWQiOiJieW9uLnBpcGVsaW5lIiwiZXhwIjoxNzE0MDYyNzM1LCJpYXQiOjE3MTE0NzA3MzUsImlzcyI6Imh0dHA6Ly8wLjAuMC4wOjgyMDAvdjEvaWRlbnRpdHkvb2lkYyIsIm5hbWVzcGFjZSI6InJvb3QiLCJuYmYiOjE3MTE0NzA3MzUsInJvbGVfY2xhaW0iOiJhY21lLXBpcGVsaW5lLWFwcC14Iiwic3ViIjoiZmQxYjNjYzItMzVhMi1lNzE5LTJhZjMtNjBiNTc3M2I0YTRlIn0.BRdHVZF5Uiadh3xBB_WbMWs6_N39V8Lcd-BfT5LdTKkffQ0e3dC8tvUZxqkWmRorOQTDqRz4hRBocp5xRAczHMs4jD3ZBYWeBnrfkCMDyXkQS-gNUN-YAGonBNxRy6Bf7ljXCAdK6L3GKY5dxfCtK4Xue78-wMcHUB4pnkyzKFd5S8LZ1XHUYL3do5qIX2xUOsUTtD85ZxgvJpcoFfeAHd1f6qZFb5-Cs8tynGyhkNmepag9TRerRG2-q8OSPHKW6UrWqViZ0-h21rTN3UTDnnQgG4Bo_fHBSx-Itk8DNWJ7Ec2Qy7Ap5mf4rQa4Y8WSEwzz8q7TnkSBMKct3nfVDg
2024/03/26 16:32:15.525073 [DEBUG] (runner) watching 2 dependencies
2024/03/26 16:32:15.525118 [DEBUG] (runner) all templates rendered
2024/03/26 16:32:15.525086 [DEBUG] (cli) receiving signal "child exited"
, and the next logging has the line:
# Rendered using Consul Template at 2024-03-26T16:33:44Z
i.e. ~1.5 mins later