Use case - Rotate application credentials using rabbit mq dynamic credentials.
We are using vault agent to update credentials for one legacy application using rabbit MQ secret engine (dynamic credentials )
So vault agent fetch dynamic credentials from rabbit mq engine and update in application configuration file. Everything working fine but our biggest concern is we need to use approle auth method for agent to authenticate to vault, and there is no way for us to rotate secret ID so basically we are solving one problem but creating another one as we have to leave secret ID on each machine and we cant rotate it automatically.
Any suggestions, how we can achieve this without exposing secret ID, I believe this will be common use case for any other credential rotation using vault agent . Can we use any other auth method for vault agent to authenticate with vault which is secure and automatically rotate secret zero issue.
This is our agent config file 
pid_file = “/vaultagent/agent.pid”
log_file = “/vaultagent/agent-trace.log”
vault {
address = “https://prod.ourserver.com:8200”
}
auto_auth {
method “approle” {
namespace = “XX”
mount_path = “XX/rabbitmq”
config = {
role_id_file_path = “/vaultagent/rabbitmq_roleID”
secret_id_file_path = “/vaultagent/rabbitmq_secretID”
remove_secret_id_file_after_reading = false
}
}
sink “file” {
config = {
path = “/vaultagent/agent-token”
}
}
}
cache {}
template_config {
exit_on_retry_failure = true
static_secret_render_interval = “1m”
}
template {
source = “/vaultagent/template.ctmpl”
destination = “/ourapp/app1/config/conf/Config.conf.appinfo.xml”
error_on_missing_key = true
}