Vault agent - Handle Restart

Hi there,

i think I have understood how i can use a config management tool (in our case puppet) to role out role_id and secret_id files to the app servers and how these files are then used by a vault agent to auth against the vault and eventually provide authentification for my spring boot app using spring cloud vault.
I understood that the vault agent is loading the role-id/secret-id files into its cache and then deletes the secret-id source-files, so everything is only available in memory.

What i didn’t understand is how to handle a restart of a machine. We use puppet for configuration management and it will not directly run when the machine restarts, so the initial role-id/secret-id files and the application won’t be created anymore.

Is there a best practice how to handle this problem or is redeploying the only way?

Thx in advance!

What I will probably do is put vault agent into supervisord and make the startup be something like:

ln -f /etc/vault/secret-id /etc/vault/secret-id.tmp && vault agent -conf=...

And have the conf file point to /etc/vault/secret-id.tmp

This is not as secure, of course, since the secret is in persistent storage, but my main goal in my deployment is to keep secrets out of source code.

I’d love to see other solutions as well.