Why vault sidecar with aws method is creating .aws/credentials file

vault agent sidecar is creating .aws/credentials file inside vault container, vault agent also runs to keep the token and secrets updated, but the credential file has temporary aws creds from the iam role assigned to the pod

after some time when this credentials are expired, vault agent gets 401 from vault server and keeps retrying vault login

renaming or deleting ~/.aws/credentials file fixes this problem

i want to know why this file is created and is there a way to avoid that?

1 Like

It’s called a sink file and it’s configured in the sidecar/init container. You can disable it.

thanks for the reply @aram, i think the sink file is actual secret from vault
what I am seeing is that when vault container uses pod level IAM role then it creates aws/crdentials file and those credentials are temporary, when they expire vault agent cant authenticate to vault server

do you mean that aws/crdentials is also a sink file and cant be removed? I would want to remove aws/crdentials but keep vault token that is fetched by vault sidecar

Now I re-read my own answer - it’s just wrong. Sink files are Vault token files that are created not external secrets.

The credential file is most likely getting created using a consul-template (no consul required, it’s just a template language) – now that’s just a guess as it could be done using many different tools, including just a simple bash script. I’d recommend looking at your deployment helm chart/values.yaml as it would be pretty evident as to what is set to run on init container (not sidecar) since it’s obviously expiring and not continuously updated.

thanks for the pointers, i figured out its our own binary that executes and creates .aws/credentials file before vault agent -config=/tmp/config.json command