I recently discovered a “gotcha” when using vault-agent with auto_auth via approle.
You must configure the approle being used for auto-auth to issue periodic tokens. If you don’t, your token will eventually hit the max_ttl and not be allowed to renew itself. Even if you set max_ttl=0 on the approle, it’ll eventually hit the default system-wide token TTL. To do this, simple configure token_period on the approle.
vault write auth/approle/role/vault-agent-role token_period=30m
There is one alternative to this. Configure vault-agent not to remove the secret_id after it’s read from disk which it will do by default. Example:
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/etc/vault/role-id"
secret_id_file_path = "/etc/vault/secret-id"
remove_secret_id_file_after_reading = false
}
}
}
Doing this, the vault-agent will be able to re-authenticate and get a new token, resetting the whole TTL process.