Hello,
we use vault agent injector and we see in the logs that on each start the container produces the following logs:
==> Vault server started! Log data will stream in below:
==> Vault agent configuration:
Cgo: disabled
Log Level: info
2020-09-30T10:56:27.938Z [INFO] sink.file: creating file sink
2020-09-30T10:56:27.938Z [INFO] sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
2020-09-30T10:56:27.939Z [INFO] template.server: starting template server
Version: Vault v1.4.2
2020/09/30 10:56:27.939175 [INFO] (runner) creating new runner (dry: false, once: false)
2020/09/30 10:56:27.939653 [INFO] (runner) creating watcher
2020-09-30T10:56:27.939Z [INFO] auth.handler: starting auth handler
2020-09-30T10:56:27.939Z [INFO] auth.handler: authenticating
2020-09-30T10:56:27.940Z [INFO] sink.server: starting sink server
2020-09-30T10:56:28.048Z [INFO] auth.handler: authentication successful, sending token to sinks
2020-09-30T10:56:28.048Z [INFO] auth.handler: starting renewal process
2020-09-30T10:56:28.048Z [INFO] template.server: template server received new token
2020/09/30 10:56:28.048087 [INFO] (runner) stopping
2020/09/30 10:56:28.048128 [INFO] (runner) creating new runner (dry: false, once: false)
2020-09-30T10:56:28.048Z [INFO] sink.file: token written: path=/home/vault/.vault-token
2020/09/30 10:56:28.048395 [INFO] (runner) creating watcher
2020/09/30 10:56:28.048471 [INFO] (runner) starting
2020-09-30T10:56:28.073Z [INFO] auth.handler: renewed auth token
2020/09/30 10:56:28.073819 [WARN] vault.read(auth/token/lookup-self): failed to check if auth/token/lookup-self is KVv2, assume not: Error making API request.
URL: GET https://vault.vault.svc:443/v1/sys/internal/ui/mounts/auth/token/lookup-self
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "auth/token/lookup-self/"
2020/09/30 10:56:28.164004 [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/token"
Is this normal behavior or something I should be worried about?
It seems like everything is working correctly, but the error does raise my attention.
Thanks,
Thomas