Way to query that Vault auto-auth has finished?

Vault
1

We’re running into a race condition around auto-auth, and I’m wondering if there is a way to query the vault agent and confirm that auth has succeeded?

Situation: we have a script that determines which environment (cloud) someone is operating in, which secrets need to be retrieved, then starts up (forks a child process with) vault agent to get those secrets. The main process sets VAULT_ADDR environment variable appropriately for the agent.

It works, 100% of the time IF one of two things happens:

  • they use it in an “access” model which punts back to them saying the agent is available
  • we put sleep(10) after forking a child with the vault agent

Where it is failing (inconsistently) is if we proceed immediately to trying to get secrets. Sometimes it returns an error saying you have no access to the secrets. Running with VAULT_LOG_LEVEL=trace it’s easy to see that the successes happen when Vault says the authentication succeeded before we attempt the query, and the failures do not show this.

Inserting additional sleep() statements has worked around the problem, but what I’d rather do is query the vault agent directly … “Hey, everything good?” :sweat_smile:

2

Here is an example of the output from our script with debug logging, which shows the ~1 second gap before authentication completes. This one-second gap isn’t important for this interactive use case … few humans will type their next command before the auth succeeds. But when running in a script there’s a race condition…

[STDERR] 2021-09-28T12:31:08.609-0700 [INFO]  auth.handler: starting auth handler
[STDERR] 2021-09-28T12:31:08.609-0700 [INFO]  auth.handler: authenticating

[CMD] ~/example/script$ ps -p 28135
[STDOUT]   PID TTY           TIME CMD
[STDOUT] 28135 ttys010    0:00.18 /usr/local/bin/vault agent -config /Users/exaqmple/.vault-agent.hcl-8200 -log-level=debug

 Sleep while vault is running, ctrl+c to quit
 Run this command to set your vault endpoint for cli and libs
 export VAULT_ADDR=http://127.0.0.1:8200

[STDERR] 2021-09-28T12:31:09.398-0700 [INFO]  auth.handler: authentication successful, sending token to sinks
[STDERR] 2021-09-28T12:31:09.398-0700 [INFO]  auth.handler: starting renewal process