open-vault/website/content/docs/agent/autoauth/sinks/file.mdx

28 lines
1.3 KiB
Plaintext
Raw Normal View History

2018-07-25 02:02:27 +00:00
---
layout: docs
page_title: Vault Agent Auto-Auth File Sink
description: File sink for Vault Agent Auto-Auth
2018-07-25 02:02:27 +00:00
---
# Vault Agent Auto-Auth File Sink
2018-07-25 02:02:27 +00:00
The `file` sink writes tokens, optionally response-wrapped and/or encrypted, to
a file. This may be a local file or a file mapped via some other process (NFS,
Gluster, CIFS, etc.).
Once the sink writes the file, it is up to the client to control lifecycle;
generally it is best for the client to remove the file as soon as it is seen.
It is also best practice to write the file to a ramdisk, ideally an encrypted
ramdisk, and use appropriate filesystem permissions. The file is currently
written with `0640` permissions as default, but can be overridden with the optional
'mode' setting.
2018-07-25 02:02:27 +00:00
## Configuration
- `path` `(string: required)` - The path to use to write the token file
- `mode` `(int: optional)` - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to `0000` to prevent Vault from modifying the file mode. Note: This configuration option is only available in Vault 1.3.0 and above.
2021-12-07 20:16:14 +00:00
~> Note: Configuration options for response-wrapping and encryption for the sink
file are located within the [options common to all sinks](/docs/agent/autoauth#configuration-sinks) documentation.