-
Notifications
You must be signed in to change notification settings - Fork 782
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret ttl handling #1451
Secret ttl handling #1451
Conversation
@eikenb Whoops... yep. Missed adding some context when promoting this from draft. Updated. |
Tested this manually as well, and the secret ID renewal honors the Manual run output
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
I'll merge this when I review what to add to the point release I'll be making. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The secret IDs from AppRole don't have leases, but they may have a TTL. A number of users have requested that Vault Agent (which consumes consul-template's templating logic) base fetching new secret IDs on the role's TTL, and not just the default 5 minute cadence for non-leased secrets. For users with shorter TTLs, this change will ensure the secret ID isn't expired. For those with much longer TTLs, it will reduced unnecessary early fetching of new secret IDs.
This PR pairs with (but doesn't require) hashicorp/vault#10826 which will start embedding the role TTL into the secret ID response.