Vault approach for secret id generation

Hi ,
In vault we are using 2 factor authentication by having role id and secret id separate . But secret id will expire after a certain time and we again need the git hub token to renew the secret id . In this case we do end up saving the github token in some place and if a user can get hold of the github token , the user will also be able to read the values from vault .
What is the suggested approach for this scenarion ?