Why does vault-agent not attempt re-authenticate, with secret-id when a token expired and cannot be renewed?

I was under the impression that vault-agent would attempt to re-authenicate with the secret-id and role-id (approle) it originally used, when it’s token expired and cannot be renewed. Weirdly it doesn’t for me.

Was I mistaking or is there another thing I should have configured?

Here is part of my json config:

  "auto_auth": [
    {
      "method": [
        {
          "config": {
            "remove_secret_id_file_after_reading": false,
            "role_id_file_path": "/var/lib/secrets/vault/role_id",
            "secret_id_file_path": "/var/lib/secrets/vault/secret_id"
          },
          "exit_on_err": true,
          "mount_path": "auth/approle",
          "type": "approle"
        }
      ],
      "sinks": [
        {
          "sink": {
            "config": {
              "mode": 432,
              "path": "/root/.vault-token"
            },
            "type": "file"
          }
        },
        {
          "sink": {
            "config": {
              "mode": 432,
              "path": "/var/lib/secrets/vault/vault-token"
            },
            "type": "file"
          }
        }
      ]
    }
  ]

error_on_exit is true because I want to leave it up to systemd to restart the agent (which it does when the token expired and cannot be renewed).