Vault Agent - New Token

Hi,
I am learning to use Vault, I have installed the Vault agent on my Windows PC as a service and am using it to generate certificates and rotate these certificates on a regular basis.

However I am struggling to understand the purpose of the agent, after a certain amount of time (max 10hrs), the token that it generates expires, then the agent becomes useless as it can no longer access the vault.
Is there some means to have the Vault agent generate a new token after the old one has expired?
Thus keeping the agent able to perform it’s tasks indefinitely, without manual intervention?

Thank you.

The agent should continuously renew the token.
Might help to see your agent config and the auth method its using config if that isn’t working for you.

Hi, thanks for the reply, I followed this guide:

Is there some means to log why it fails to renew the token?
Currently the only way to renew the token is to put in the root token and re-export the secret-id, then restart the service, which uses that secret-id to create a new valid token.

Or even better is there a command that forces Vault to issue a new token with the ttl restarted.

From that doc
$ vault write auth/approle/role/vault-agent-role secret_id_ttl=90m token_num_uses=10 token_ttl=60m token_max_ttl=120m secret_id_num_uses=20

Tokens acquired from this role can only be used 10 times and have a maximum time to live of 2 hours.

Read up on the approle/role settings and configure to your needs.

@mikegreen appreciate the response, I understand the idea behind the timings and that makes perfect sense, it does what it says, I have no issue with that.

My problem is that there seems to be no means to keep the agent authenticated long term (beyond 10 hours) even if you set all values to zero, after 10 hours the token expires and the agent fails, it seems to have no in-built function to retrieve a new token to restart the timer.
This doesn’t seem like the design intent (what would be the point of having an agent), so it must be my setup, the question I need to answer now is what is wrong with my setup that prevents the agent from getting new tokens once the old token has expired.

This I guess is what I am struggling with, a means to log this (beyond just the failing authentication) or a command to run (like vault get new token), perhaps the answer will become obvious in time.

In the mean time, I will implement a scheduled task to restart the service every hour or so to generate a brand new token.

Here is a Powershell script that reflects my current setup (needs to be run as administrator, requires a valid vault URL and a token that can create policies and roles):

Thank you.

I think the remove_secret_id_after_reading = true line might be one thing that’s tripping you up. Once that is gone (after initial authentication) the agent has nothing to send a re-authentication request with when the current auth session expires. However, this obviously comes at the cost of having a credential on disk, which may be mitigated by setting strict ACLs to prevent casual users from viewing it.

Otherwise you may want to consider using the token_period parameter instead of the token_max_ttl. This is basically a keep-alive value and will/should keep the auth token alive until the process stops requesting a renewal. The token_num_uses parameter on your AppRole role would need to be removed or set to 0 otherwise you’ll run into the same problem.

Unsure if its config or maybe an issue… or windows related.

Can you share:
Vault agent config
Vault agent debug log from startup, and at the 10hr mark when it dies

Hi, apologies for the slow response, thank you both @mikegreen and @jeffsanicola.

@jeffsanicola this worked, I thought maybe I needed to add sudo or something but no, I ran the following:

vault write auth/approle/role/agent-app02 secret_id_ttl=1m token_num_uses=0 period=1m token_ttl=1m secret_id_num_uses=150 token_policies="agent-app02"

However, the obvious issue with this is it never actually gets a new token, it just keeps renewing the original one.

@mikegreen I am not sure how to start a debug log for the vault agent, I can see to start the agent with this:

vault agent -config C:\vault-agent\vault-agent.hcl -log-level=DEBUG

However I cannot see where it is logging to (event viewer perhaps?)

The config from above:


vault {
  address = "https://vault.example.com:8200"
}

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
      config = {
        role_id_file_path = "/vault-agent/webblog_role_id"
        secret_id_file_path = "/vault-agent/webblog_wrapped_secret_id"
        remove_secret_id_file_after_reading = false
        secret_id_response_wrapping_path = "auth/approle/role/agent-APP02/secret-id"
    }
  }
  sink "file" {
    config = {
      path = "/vault-agent/agent-token"
      }
    }
}
listener "tcp" {
  address = "127.0.0.1:8100"
  tls_disable = true
}
cache {
  use_auto_auth_token = true
}

Thank you.

Just being pedantic, sorry … but PLEASE don’t call your file .hcl and then put .json contents in it. It’s annoying to the next guy.

Apologies @aram I was just reflecting the code from the guide: Vault Agent Windows Service | Vault - HashiCorp Learn
You will have to forgive me I know neither json nor hcl, if you could tell me what to change (or should I just name the file .json?) I will change it.

No big deal, it’s just a pet peeve of most admins. :slight_smile:
Yes, just rename the file to .json and change your system unit file to match. Or change the content to HCL2 language – more work but I believe this is the recommended config.

I am “enjoying” this issue right now myself. I have a vault-agent auth-authing with a token I obtained during deployment.

It quickly spazzes out and tells me the token-id is invalid

If you run it from the CLI, it logs right to the terminal. Unsure how that works in Windows. But the logs at the non-renewal point are key to troubleshooting this.