Currently it seems that Vault agent does not support the “userpass” method for authentication (if it does, please stop reading…).
The scenario where I think this would be useful is during development, specially for database and other dynamic secrets. The developer would start the agent and it would ask the password interactively. After that, it would just be business as usual.
This approach has the benefit that discourages people from putting Vault credentials in source files that end up in shared repositories.
IMHO bad idea, userpass passwords aren’t rotate-able, which means whatever is in clear text in the config file with be the password, which also means anyone who gets a hold of it can how access the secrets with that static password from anywhere.
Userpass has the advantage of rotating automatically.
I agree that password in general ARE bad. However, since Vault already supports this authentication method, I think that it should also support it when running in agent mode.
Of course, enabling or not this method on a given Vault installation is another issue altogether…