We’re running into a race condition around auto-auth, and I’m wondering if there is a way to query the vault agent and confirm that auth has succeeded?
Situation: we have a script that determines which environment (cloud) someone is operating in, which secrets need to be retrieved, then starts up (forks a child process with) vault agent to get those secrets. The main process sets
VAULT_ADDR environment variable appropriately for the agent.
It works, 100% of the time IF one of two things happens:
- they use it in an “access” model which punts back to them saying the agent is available
- we put
sleep(10)after forking a child with the vault agent
Where it is failing (inconsistently) is if we proceed immediately to trying to get secrets. Sometimes it returns an error saying you have no access to the secrets. Running with
VAULT_LOG_LEVEL=trace it’s easy to see that the successes happen when Vault says the authentication succeeded before we attempt the query, and the failures do not show this.
sleep() statements has worked around the problem, but what I’d rather do is query the vault agent directly … “Hey, everything good?”