open-vault/website/content/docs/agent/autoauth/sinks/file.mdx

---
layout: docs
page_title: Vault Agent Auto-Auth File Sink
description: File sink for Vault Agent Auto-Auth
---

# Vault Agent Auto-Auth File Sink

The `file` sink writes tokens, optionally response-wrapped and/or encrypted, to
a file. This may be a local file or a file mapped via some other process (NFS,
Gluster, CIFS, etc.).

Once the sink writes the file, it is up to the client to control lifecycle;
generally it is best for the client to remove the file as soon as it is seen.

It is also best practice to write the file to a ramdisk, ideally an encrypted
ramdisk, and use appropriate filesystem permissions. The file is currently
written with `0640` permissions as default, but can be overridden with the optional
'mode' setting.

## Configuration

- `path` `(string: required)` - The path to use to write the token file
- `mode` `(int: optional)` - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to `0000` to prevent Vault from modifying the file mode. Note: This configuration option is only available in Vault 1.3.0 and above.
VSI (#4985) 2018-07-25 02:02:27 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Vault Agent Auto-Auth File Sink`
			`description: File sink for Vault Agent Auto-Auth`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`---`

New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`# Vault Agent Auto-Auth File Sink`
VSI (#4985) 2018-07-25 02:02:27 +00:00
			The `file` sink writes tokens, optionally response-wrapped and/or encrypted, to
			`a file. This may be a local file or a file mapped via some other process (NFS,`
			`Gluster, CIFS, etc.).`

			`Once the sink writes the file, it is up to the client to control lifecycle;`
			`generally it is best for the client to remove the file as soon as it is seen.`

			`It is also best practice to write the file to a ramdisk, ideally an encrypted`
			`ramdisk, and use appropriate filesystem permissions. The file is currently`
Allow setting file mode on vault agent sink file (#7275) * feat: enable setting mode on vault agent sink file * doc: update vault agent file sink with mode configuration 2019-08-22 03:41:55 +00:00			written with `0640` permissions as default, but can be overridden with the optional
			`'mode' setting.`
VSI (#4985) 2018-07-25 02:02:27 +00:00
			`## Configuration`

			- `path` `(string: required)` - The path to use to write the token file
Implement MDX Remote (#10581) * implement mdx remote * fix an unfenced code block * fix partials path Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> 2020-12-17 21:53:33 +00:00			- `mode` `(int: optional)` - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to `0000` to prevent Vault from modifying the file mode. Note: This configuration option is only available in Vault 1.3.0 and above.