Why vault creates a .cache/snowflake folder?


Recently our HIDS alerted about a new folder created under /.cache/snowflake. After a lot of digging around we found out that vault creates this folder and is looking for a ocsp_response_cache.json file. However even if I tried to make /.cache folder non writable I saw no observable issue for vault functionality.
There is nothing on vault documentation and we don’t use vault’s snowflake database plugin at all.
I need a way either to choose where to create this folder or to completely prevent vault from creating it in the first place. What is the purpose of this folder/file after all? Do I need to open an issue instead?

Here is a part of an strace:

strace /opt/vault/bin/vault write -field=token -address= auth/approle/login \
    role_id=XXXXX secret_id=XXXXX 2>&1 | grep -e cache -e snowflake
newfstatat(AT_FDCWD, "/home/user/.cache/snowflake", 0xc000250b98, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/home/user/.cache/snowflake", 0xc000251e48, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/home/user/.cache", {st_mode=S_IFDIR|0700, st_size=17, ...}, 0) = 0
mkdirat(AT_FDCWD, "/home/user/.cache/snowflake", 0777) = 0
openat(AT_FDCWD, "/home/user/.cache/snowflake/ocsp_response_cache.json", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

Thank you

I’d check your vault to see why the snowflake plugin is engaging. AFAIK the plugin shouldn’t engage unless it’s enabled. Check your startup and audit logs.

Snowflake plugin it is not enabled for sure and this folder is appearing even in other local laptop installations we checked.
I guess a go lib is trigger in the background for some reason.

We are seeing the same issue in our open source installation as well. The plugin is not enabled but the .cache/snowflake folder is still being created. It’s flooding the logs as it is violating our FIM policy. Is there a way to avoid this?