Is there a way to specify a shorter TTL for secrets in a vault agent template with with secret
? I have a relatively long default TTL, but for examples that support a much shorter TTL I want to use that to rotate the secrets more often.
I’m using vault agent in kubernetes, so I have something like this in my k8s annotations to write a configuration file:
vault.hashicorp.com/agent-inject-template-database: |
{{- with secret "database/creds/db-app" -}}
db:
dsn: "tcp(db-haproxy.db.svc)/app?charset=utf8&parseTime=true"
user: {{ .Data.username }}
pass: {{ .Data.password }}
{{- end }}
I tried adding a parameter to with secret
like this
{{- with secret "database/creds/db-app" "ttl=1h" -}}
but that made the agent fail to get the secret (and I couldn’t find any documentation examples telling me this should have worked anyway).