Vault-agent refresh after Raft restore


I’m currently working on a backup/restore feature on our app which uses:

  • postgresql for data
  • vault for managing postgresql users credentials, which uses vaultuser for connecting to postgresql
  • vault-agent for giving these credentials to our app pods

I’m able to do a restore by using pg_restore, vault operator raft snapshot restore and restoring the password for vaultuser. After this, the vault-agent in the app pods seem to take a long time to take this state change into account. For a few minutes it stays will older credentials pre-restore, then new credentials kick in. After that, my app works perfectly with the restored state.

Am I missing a step? Is there a way to tell the vault-agents to request new credentials faster?


Restart the Vault agent processes?

Restoring an entire Vault cluster from backup is a pretty major operation and invalidates assumptions that normal clients make about TTLs.

I see. Is there a way to trigger a refresh, or do you have to restart the sidecar?

Vault doesn’t have database triggers, so it can’t detect a change in Postgress. I don’t think there is much you can do as Vault keeps its own state and never actually checks to see what is going on in the database.