Vault Agent Template not triggered after rotate-role

ksdc-andreo · July 27, 2021, 9:57am

I’m successfully using the OpenLDAP Secrets Engine together with a Vault Agent to render a template on a host that references a Static Role. The Static Role has a rotation period and the Vault Agent automatically updates the template when the TTL expires.

However, when I manually rotate the password, the credentials are updated in OpenLDAP but the Vault Agent does not automatically update the template.

Is this a defect or expected behaviour?
It it possible to manually tell the agent to re-render the templates?

mikegreen · July 27, 2021, 1:41pm

Per the docs, does not seem like there is any exception for a manually rotated secret. It is about TTL and renewal. For agent to know something was manually rotated, it’d have to poll or an event to be fired to alert it… which does not exist today.

Topic		Replies	Views
Is it possible to automatically detect and reissue revoked secrets with consul-template? Consul consul-template	1	1203	October 16, 2019
Issue with refresh of non-leased secret via vault agent side car Vault	0	82	May 17, 2024
Manually trigger secret rendering with Vault Agent Vault	0	164	October 10, 2022
LDAP secrets engine dynamic role renewals with vault agent Vault	0	106	June 8, 2023
Vault Agent & client-side triggering template rewrites Vault	0	294	March 31, 2020

Vault Agent Template not triggered after rotate-role

Related topics