Vault agent - permission denied

Hello All,

Good day. I am working on with a project where we have to pull secrets stored in HashiCrop Vault and get it rendered locally for app to read.

I decided to use vault agent instead of reinventing the wheel and configured it like below,

vault {
ca_path = “/var/run/secrets/vaultproject.io/vault-ca.crt”
address = “https://masked:8200”
vault_agent_token_file = “/tmp/token”
}

pid_file = “/tmp/pid”

auto_auth {
method “cert” {
type = “cert”
mount_path = “auth/cert”
namespace = “ccib/ch”
config = {
client_cert = “/var/run/secrets/vaultproject.io/write.crt”
client_key = “/var/run/secrets/vaultproject.io/write.key”
remove_secret_id_file_after_reading = “false”
}
}

sink “file” {
type = “file”
config = {
path = “/tmp/token”
}
}
}

template {
source = “/tmp/test.hcl”
destination = “/tmp/test.txt”
}

content of test.hcl,

{{ with secret “maskedpath/DATA” }}
{{ . }}
{{ end }}

When I run it with command,

vault-1.6.3 agent -config vault-agent.config -tls-skip-verify -log-level=trace

it is generating the token ( in /tmp/token) which is valid and then when rendering the secret it is throwing below error

URL: GET https://masked:8200/v1/maskedpath/DATA
Code: 403. Errors:

• 1 error occurred:
  * permission denied

But at the same time when I try it via curl it is working perfectly fine,

curl --header “X-Vault-Token: $(cat /tmp/token)” --request GET https://masked:8200/v1/maskedpath/DATA

Need other advice.

Thanks

It’s been a while since I’ve used the Vault agent but looking at my previous testing files I did not have a sink configured when pulling secrets with the agent itself.

Perhaps remove the sink to see if that starts working for you?

Also, I believe the remove_secret_id_file_after_reading parameter is unnecessary in this case as you’re not using AppRole for authentication.

What type of secret is it?
I’ve never seen {{ . }}
I use {{ .Data }} for all to be returned.

Hi,
I have one doubt

I’m working on integrating HashiCorp Vault into our application using Vault Agent for authentication. The initial setup works well, where the application reads the Vault token from a file generated by Vault Agent and uses it to authenticate with the Vault server.

However, I’m concerned about handling scenarios where the token’s max TTL is reached, and a new token is generated by Vault Agent.

Currently, our application reads the token once during initialization and uses it for subsequent operations. If the token expires and a new one is generated, the application wouldn’t automatically know about the new token, which could lead to failed operations.

To address this, I am thinking to implement a file watcher that monitors the token file for changes. When a new token is generated, the watcher reloads the token and updates the Vault client. While this seems to work in theory, I want to ensure that we’re following best practices and not missing any important considerations.

Here are the specific questions I have:

1. Is monitoring the token file for changes and reloading the token dynamically the recommended approach for handling token renewal with Vault Agent?
2. Are there any potential pitfalls or edge cases I should be aware of when implementing this solution?
3. Are there more efficient or reliable methods to ensure the application always has access to a valid token, especially in high-availability or production environments?

I’d appreciate any feedback or suggestions on improving this implementation.