Vault Agent - New Token

Vertiwell · September 12, 2021, 11:55pm

Hi,
I am learning to use Vault, I have installed the Vault agent on my Windows PC as a service and am using it to generate certificates and rotate these certificates on a regular basis.

However I am struggling to understand the purpose of the agent, after a certain amount of time (max 10hrs), the token that it generates expires, then the agent becomes useless as it can no longer access the vault.
Is there some means to have the Vault agent generate a new token after the old one has expired?
Thus keeping the agent able to perform it’s tasks indefinitely, without manual intervention?

Thank you.

mikegreen · September 13, 2021, 3:44pm

The agent should continuously renew the token.
Might help to see your agent config and the auth method its using config if that isn’t working for you.

Vertiwell · September 13, 2021, 9:46pm

Hi, thanks for the reply, I followed this guide:

Is there some means to log why it fails to renew the token?
Currently the only way to renew the token is to put in the root token and re-export the secret-id, then restart the service, which uses that secret-id to create a new valid token.

Or even better is there a command that forces Vault to issue a new token with the ttl restarted.

mikegreen · September 14, 2021, 4:56pm

From that doc
$ vault write auth/approle/role/vault-agent-role secret_id_ttl=90m token_num_uses=10 token_ttl=60m token_max_ttl=120m secret_id_num_uses=20

Tokens acquired from this role can only be used 10 times and have a maximum time to live of 2 hours.

Read up on the approle/role settings and configure to your needs.

Vertiwell · September 14, 2021, 10:14pm

@mikegreen appreciate the response, I understand the idea behind the timings and that makes perfect sense, it does what it says, I have no issue with that.

My problem is that there seems to be no means to keep the agent authenticated long term (beyond 10 hours) even if you set all values to zero, after 10 hours the token expires and the agent fails, it seems to have no in-built function to retrieve a new token to restart the timer.
This doesn’t seem like the design intent (what would be the point of having an agent), so it must be my setup, the question I need to answer now is what is wrong with my setup that prevents the agent from getting new tokens once the old token has expired.

This I guess is what I am struggling with, a means to log this (beyond just the failing authentication) or a command to run (like vault get new token), perhaps the answer will become obvious in time.

In the mean time, I will implement a scheduled task to restart the service every hour or so to generate a brand new token.

Here is a Powershell script that reflects my current setup (needs to be run as administrator, requires a valid vault URL and a token that can create policies and roles):

gist.github.com

https://gist.github.com/Vertiwell/da5d685c069cc4189117e8e592610b60

install_vault_agent.ps1

### Vault Agent on Windows - https://learn.hashicorp.com/tutorials/vault/agent-windows-service?in=vault/app-integration
## Run Powershell as administrator
$amiadmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
If ($amiadmin -ne 'True') {"This script needs to be run as Administrator, exiting.."; Start-Sleep -s 5; exit}
Else {"Script running as Administrator, continuing..."; Start-Sleep -s 5}
## Check if vault-agent path exists, if not create it
New-Item -ItemType Directory -Force -Path c:\vault-agent
## Check if vault program exits, if not create it: Download Vault: https://www.vaultproject.io/downloads
$testpath = Test-Path C:\vault-agent\vault.exe
If ($testpath -ne 'True') {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest https://releases.hashicorp.com/vault/1.8.2/vault_1.8.2_windows_amd64.zip -OutFile c:\vault-agent\vault_1.8.2_windows_amd64.zip; Expand-Archive -LiteralPath c:\vault-agent\vault_1.8.2_windows_amd64.zip -DestinationPath c:\vault-agent\}

This file has been truncated. show original

Thank you.

jeffsanicola · September 15, 2021, 12:45pm

I think the remove_secret_id_after_reading = true line might be one thing that’s tripping you up. Once that is gone (after initial authentication) the agent has nothing to send a re-authentication request with when the current auth session expires. However, this obviously comes at the cost of having a credential on disk, which may be mitigated by setting strict ACLs to prevent casual users from viewing it.

Otherwise you may want to consider using the token_period parameter instead of the token_max_ttl. This is basically a keep-alive value and will/should keep the auth token alive until the process stops requesting a renewal. The token_num_uses parameter on your AppRole role would need to be removed or set to 0 otherwise you’ll run into the same problem.

mikegreen · September 16, 2021, 4:04pm

Unsure if its config or maybe an issue… or windows related.

Can you share:
Vault agent config
Vault agent debug log from startup, and at the 10hr mark when it dies

Vertiwell · September 20, 2021, 12:49am

Hi, apologies for the slow response, thank you both @mikegreen and @jeffsanicola.

@jeffsanicola this worked, I thought maybe I needed to add sudo or something but no, I ran the following:

vault write auth/approle/role/agent-app02 secret_id_ttl=1m token_num_uses=0 period=1m token_ttl=1m secret_id_num_uses=150 token_policies="agent-app02"

However, the obvious issue with this is it never actually gets a new token, it just keeps renewing the original one.

@mikegreen I am not sure how to start a debug log for the vault agent, I can see to start the agent with this:

vault agent -config C:\vault-agent\vault-agent.hcl -log-level=DEBUG

However I cannot see where it is logging to (event viewer perhaps?)

The config from above:


vault {
  address = "https://vault.example.com:8200"
}

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
      config = {
        role_id_file_path = "/vault-agent/webblog_role_id"
        secret_id_file_path = "/vault-agent/webblog_wrapped_secret_id"
        remove_secret_id_file_after_reading = false
        secret_id_response_wrapping_path = "auth/approle/role/agent-APP02/secret-id"
    }
  }
  sink "file" {
    config = {
      path = "/vault-agent/agent-token"
      }
    }
}
listener "tcp" {
  address = "127.0.0.1:8100"
  tls_disable = true
}
cache {
  use_auto_auth_token = true
}

Thank you.

aram · September 20, 2021, 7:16am

Just being pedantic, sorry … but PLEASE don’t call your file .hcl and then put .json contents in it. It’s annoying to the next guy.

Vertiwell · September 20, 2021, 9:04pm

Apologies @aram I was just reflecting the code from the guide: Vault Agent Windows Service | Vault - HashiCorp Learn
You will have to forgive me I know neither json nor hcl, if you could tell me what to change (or should I just name the file .json?) I will change it.

aram · September 20, 2021, 11:34pm

No big deal, it’s just a pet peeve of most admins.
Yes, just rename the file to .json and change your system unit file to match. Or change the content to HCL2 language – more work but I believe this is the recommended config.

chrisbecke · September 21, 2021, 11:51am

I am “enjoying” this issue right now myself. I have a vault-agent auth-authing with a token I obtained during deployment.

It quickly spazzes out and tells me the token-id is invalid

mikegreen · September 21, 2021, 1:49pm

If you run it from the CLI, it logs right to the terminal. Unsure how that works in Windows. But the logs at the non-renewal point are key to troubleshooting this.

rajat · August 19, 2024, 11:45am

Hi,
I have one question

I’m working on integrating HashiCorp Vault into our application using Vault Agent for authentication. The initial setup works well, where the application reads the Vault token from a file generated by Vault Agent and uses it to authenticate with the Vault server.

However, I’m concerned about handling scenarios where the token’s max TTL is reached, and a new token is generated by Vault Agent.

Currently, our application reads the token once during initialization and uses it for subsequent operations. If the token expires and a new one is generated, the application wouldn’t automatically know about the new token, which could lead to failed operations.

To address this, I am thinking to implement a file watcher that monitors the token file for changes. When a new token is generated, the watcher reloads the token and updates the Vault client. While this seems to work in theory, I want to ensure that we’re following best practices and not missing any important considerations.

Here are the specific questions I have:

Is monitoring the token file for changes and reloading the token dynamically the recommended approach for handling token renewal with Vault Agent?
Are there any potential pitfalls or edge cases I should be aware of when implementing this solution?
Are there more efficient or reliable methods to ensure the application always has access to a valid token, especially in high-availability or production environments?

I’d appreciate any feedback or suggestions on improving this implementation.

Topic		Replies	Views
Handling Token Renewal with Vault Agent Vault vault	0	67	August 16, 2024
Vault agent to renew cert Vault	13	2179	March 5, 2024
Vault agent keeps the vault token in sink file as plain text Vault	2	309	August 19, 2024
Why does vault-agent not attempt re-authenticate, with secret-id when a token expired and cannot be renewed? Vault	0	284	October 14, 2023
Vault-agent PKI: Higher renewal frequency than ttl Vault	1	363	August 9, 2022

Vault Agent - New Token

Related topics