I was under the impression that vault-agent would attempt to re-authenicate with the secret-id and role-id (approle) it originally used, when it’s token expired and cannot be renewed. Weirdly it doesn’t for me.
Was I mistaking or is there another thing I should have configured?
Here is part of my json config:
"auto_auth": [
{
"method": [
{
"config": {
"remove_secret_id_file_after_reading": false,
"role_id_file_path": "/var/lib/secrets/vault/role_id",
"secret_id_file_path": "/var/lib/secrets/vault/secret_id"
},
"exit_on_err": true,
"mount_path": "auth/approle",
"type": "approle"
}
],
"sinks": [
{
"sink": {
"config": {
"mode": 432,
"path": "/root/.vault-token"
},
"type": "file"
}
},
{
"sink": {
"config": {
"mode": 432,
"path": "/var/lib/secrets/vault/vault-token"
},
"type": "file"
}
}
]
}
]
error_on_exit is true because I want to leave it up to systemd to restart the agent (which it does when the token expired and cannot be renewed).